UBUNTU-CVE-2025-49140
- Source
- https://ubuntu.com/security/CVE-2025-49140
- Import Source
- https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-49140.json
- JSON Data
- https://api.osv.dev/v1/vulns/UBUNTU-CVE-2025-49140
- Related
- Published
- 2025-06-09T22:15:00Z
- Modified
- 2025-06-13T12:43:28Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
Pion Interceptor is a framework for building RTP/RTCP communication software. Versions v0.1.36 through v0.1.38 contain a bug in a RTP packet factory that can be exploited to trigger a panic with Pion based SFU via crafted RTP packets, This only affect users that use pion/interceptor. Users should upgrade to v0.1.39 or later, which validates that:
padLen > 0 && padLen <= payloadLengthand return error on overflow, avoiding panic. If upgrading is not possible, apply the patch from the pull request manually or drop packets whose P-bit is set but whose padLen is zero or larger than the remaining payload. - References
-
- https://ubuntu.com/security/CVE-2025-49140
- https://www.cve.org/CVERecord?id=CVE-2025-49140
- https://github.com/pion/interceptor/security/advisories/GHSA-f26w-gh5m-qq77
- https://github.com/pion/webrtc/issues/3148
- https://github.com/pion/interceptor/pull/338
- https://github.com/pion/interceptor/commit/fa5b35ea867389cec33a9c82fffbd459ca8958e5
Affected packages
Ubuntu:24.10 / golang-github-pion-interceptor
Package
- Name
- golang-github-pion-interceptor
- Purl
- pkg:deb/ubuntu/golang-github-pion-interceptor@0.1.12-1?arch=source&distro=oracular
Ubuntu:24.04:LTS / golang-github-pion-interceptor
Package
- Name
- golang-github-pion-interceptor
- Purl
- pkg:deb/ubuntu/golang-github-pion-interceptor@0.1.12-1?arch=source&distro=noble