Overview
CVE-2025-65405 details a use-after-free vulnerability found in Live555 Streaming Media version 2018.09.02. This flaw resides within the ADTSAudioFileSource::samplingFrequency() function and can be exploited by attackers who provide a specially crafted ADTS/AAC file. Successful exploitation leads to a Denial of Service (DoS) condition, impacting the availability of services relying on the vulnerable Live555 library.
Technical Details
The vulnerability occurs due to improper memory management within the ADTSAudioFileSource::samplingFrequency() function. The function attempts to access memory that has already been freed, resulting in a use-after-free condition. This typically happens when a crafted ADTS/AAC file is processed, causing the function to operate on a dangling pointer. The specific conditions leading to the memory corruption involve manipulating the ADTS header in a way that triggers premature deallocation of the memory used to determine the sampling frequency. When this memory is later accessed, the program crashes due to reading invalid memory address, leading to a Denial of Service.
CVSS Analysis
At the time of publication (2025-12-01), the CVSS score for CVE-2025-65405 is not available (N/A) and therefore no severity is present (N/A). This may be due to ongoing analysis or lack of sufficient data for a proper risk assessment. We will update this section as more information becomes available. Factors that might influence the CVSS score include:
- Attack Vector: Network (if the file can be provided remotely)
- Attack Complexity: High (crafting a specific ADTS/AAC file requires knowledge of the vulnerable code)
- Privileges Required: None (potentially, if the file can be processed without authentication)
- User Interaction: Required (potentially, if a user needs to open the file)
- Scope: Unchanged
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Possible Impact
The primary impact of CVE-2025-65405 is a Denial of Service. An attacker can exploit the vulnerability to crash applications or services that use the vulnerable version of Live555 Streaming Media to process ADTS/AAC files. This can lead to service disruptions and negatively impact users who rely on these services. The lack of Confidentiality and Integrity impact means that data is not compromised, but the interruption of service can still be significant.
Mitigation or Patch Steps
Unfortunately, Live555 Streaming Media v2018.09.02 is an outdated version. Users are strongly advised to:
- Upgrade Live555: The most effective mitigation is to upgrade to a more recent, actively maintained version of the Live555 library. Check the official Live555 website (if available) or the GitHub repository for updates.
- Input Validation: Implement robust input validation on ADTS/AAC files before processing them with Live555. This can help prevent the parsing of malicious crafted files.
- Implement Resource Limits: If upgrading is not immediately possible, consider implementing resource limits to minimize the impact of a potential DoS attack. This may involve limiting the size or number of ADTS/AAC files processed concurrently.
