Skip to main content

libaom EUVDEUVD-2026-38045

| CVE-2026-56208 HIGH
Heap-based Buffer Overflow (CWE-122)
2026-06-19 secalert@redhat.com GHSA-mgv2-4j37-m3x6
7.6
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
7.6 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H
vuln.today AI
6.4 MEDIUM

Attacker typically needs an authenticated session to push encoder config (PR:L), heap grooming for anything beyond DoS raises AC:H, no user click is required (UI:N), and availability impact dominates.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H
4.0 AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N
SUSE
7.1 HIGH
AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H
Red Hat
7.6 HIGH
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
High

Lifecycle Timeline

5
Analysis Updated
Jun 19, 2026 - 19:02 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 19, 2026 - 19:01 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 19, 2026 - 18:52 vuln.today
cvss_changed
CVSS changed
Jun 19, 2026 - 18:52 NVD
8.6 (HIGH) 7.6 (HIGH)
Analysis Generated
Jun 19, 2026 - 17:31 vuln.today

DescriptionCVE.org

A heap buffer overflow vulnerability was found in libaom, the reference AV1 codec implementation. A flaw in the AV1 encoder's Look-Ahead Processing (LAP) mode causes the first-pass stats ring buffer wrap-around guard to be bypassed when g_lag_in_frames is set to 1 or higher. This results in a 232-byte out-of-bounds write on every encoded frame after the second, corrupting adjacent heap objects. An attacker who can influence encoder configuration in a transcoding service or WebRTC session could exploit this to cause a denial of service (process crash) or potentially achieve code execution.

AnalysisAI

Heap buffer overflow in libaom's AV1 encoder allows attackers who influence encoder configuration to trigger a 232-byte out-of-bounds heap write on every frame after the second, when Look-Ahead Processing (LAP) mode is active with g_lag_in_frames >= 1. Affected deployments include transcoding pipelines and WebRTC servers that pass user-controlled encoder parameters to libaom. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach exposed encoder endpoint
Delivery
Submit config with g_lag_in_frames>=1
Exploit
Stream three or more frames
Execution
Trigger 232-byte OOB heap write in LAP ring buffer
Persist
Corrupt adjacent heap objects
Impact
Crash encoder process or hijack control flow

Vulnerability AssessmentAI

Exploitation Exploitation requires that the attacker can influence the libaom encoder configuration of the target process - specifically setting g_lag_in_frames to 1 or higher so that Look-Ahead Processing mode is engaged - and that the attacker can supply at least three frames of input to the encoder; the bug is deterministic once LAP is active and does not need a malformed bitstream. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The published CVSS 3.1 base of 7.6 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H) weights the impact heavily toward availability, which is consistent with a deterministic heap corruption that crashes the encoder process on every encoded stream. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker joins a WebRTC conference or submits a job to a video transcoding service that allows clients to influence encoder parameters, sets g_lag_in_frames to 1 or higher to enable LAP mode, and streams or queues a few frames of media. Starting with the third encoded frame, libaom performs a 232-byte out-of-bounds heap write into adjacent objects, reliably crashing the encoder worker (denial of service) and, with heap-grooming effort, potentially overwriting function pointers or object metadata to pivot toward code execution in the media process.
Remediation Upstream fix available (commit 243f8ae84b in aomedia.googlesource.com/aom); a released patched libaom tag is not independently confirmed from the provided data, so rebuild or update libaom once your distribution publishes a release that includes this commit and track the Red Hat advisory at access.redhat.com/security/cve/CVE-2026-56208 and bug 2490799 for vendor-specific package versions. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all deployments of libaom (transcoding services, WebRTC servers, media processors) and document current versions and LAP mode status; disable LAP mode operationally if feasible. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Important
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Affected
SUSE Linux Enterprise Module for Basesystem 15 SP7 Affected

Share

EUVD-2026-38045 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy