Skip to main content

libaom EUVDEUVD-2026-38044

| CVE-2026-56209 HIGH
Out-of-bounds Write (CWE-787)
2026-06-19 secalert@redhat.com GHSA-8vmr-q5h8-3vc5
7.1
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
vuln.today AI
8.3 HIGH

Network-reachable encoder fed attacker frames (AV:N/AC:L/PR:N), user must initiate media session (UI:R); a deterministic arbitrary write yields high integrity/availability impact and likely memory disclosure (C:L).

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
8.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
Red Hat
7.1 HIGH
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High

Lifecycle Timeline

6
Analysis Updated
Jun 19, 2026 - 19:00 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 19, 2026 - 19:00 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 19, 2026 - 18:52 vuln.today
cvss_changed
Severity Changed
Jun 19, 2026 - 18:52 NVD
CRITICAL HIGH
CVSS changed
Jun 19, 2026 - 18:52 NVD
9.1 (CRITICAL) 7.1 (HIGH)
Analysis Generated
Jun 19, 2026 - 17:33 vuln.today

DescriptionCVE.org

An arbitrary address write vulnerability was found in libaom, the reference AV1 codec implementation. A missing bounds check in the SVC (Scalable Video Coding) layer ID control function allows an attacker to inject an arbitrary pointer into the cyclic refresh map field via crafted image pixel values. The encoder then writes approximately 1,200 bytes at the attacker-controlled address. This is fully deterministic and does not require a separate information leak. An attacker who can supply frames to a network-facing libaom encoder with SVC enabled could exploit this for denial of service or potential code execution.

AnalysisAI

Arbitrary address write in libaom, the reference AV1 video codec implementation, allows remote attackers to corrupt memory by supplying crafted pixel values to an encoder that has Scalable Video Coding (SVC) enabled, leading to denial of service or potential code execution. The flaw stems from a missing bounds check in the SVC layer ID control function that lets pixel data inject an attacker-controlled pointer into the cyclic refresh map, after which ~1,200 bytes are written deterministically to the chosen address. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify libaom encoder with SVC enabled
Delivery
Establish media session to target
Exploit
Send crafted frame with malicious pixel values
Install
Trigger SVC layer-ID control bounds miss
C2
Write ~1,200 bytes at chosen address
Execute
Corrupt control data in encoder process
Impact
Achieve DoS or code execution

Vulnerability AssessmentAI

Exploitation Requires the target to run libaom as an encoder (not just a decoder) with SVC (Scalable Video Coding) enabled - typically a server-side AV1 transcoder, a WebRTC SFU/MCU that re-encodes participants, or a client encoding camera input for a call - and requires the attacker to be able to supply raw frames whose pixel values are passed into that encoder. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H, 7.1 High) reflects a network-reachable, unauthenticated condition with user interaction and high availability impact, matching a media-frame-driven encoder bug. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker joins a WebRTC conference or uploads a video stream to a server-side transcoder whose libaom encoder is configured with SVC; the attacker sends crafted frames whose pixel values encode a chosen pointer that libaom's SVC layer-ID control routine consumes without bounds checking. The encoder then performs a deterministic ~1,200-byte write at the attacker's chosen address, corrupting function pointers, vtables, or allocator metadata to crash the service or pivot to code execution in the media process. …
Remediation Upstream fix available (commit a93ba0ffaa at https://aomedia.googlesource.com/aom/+/a93ba0ffaa); released patched version not independently confirmed from the provided data, so track the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-56209 and Bugzilla 2490800 for the distribution-pinned libaom package version and rebuild dependent applications (Chromium, Firefox, FFmpeg, GStreamer, WebRTC SFUs) once vendor packages are published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all systems using libaom and confirm whether Scalable Video Coding (SVC) is enabled in production encoders. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Important
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Affected
SUSE Linux Enterprise Module for Basesystem 15 SP7 Affected

Share

EUVD-2026-38044 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy