Skip to main content

libaom EUVDEUVD-2026-38046

| CVE-2026-56210 HIGH
Out-of-bounds Read (CWE-125)
2026-06-19 secalert@redhat.com GHSA-xpjh-7q9g-cgj5
7.1
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
vuln.today AI
7.1 HIGH

Network-reachable encoder parameter with no auth but requires a submitted stream (UI:R); bounded heap leak gives C:L, process crash gives A:H, no integrity impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
HIGH
qualitative
Red Hat
7.1 HIGH
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Updated
Jun 19, 2026 - 18:59 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 19, 2026 - 18:59 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 19, 2026 - 18:52 vuln.today
cvss_changed
CVSS changed
Jun 19, 2026 - 18:52 NVD
8.2 (HIGH) 7.1 (HIGH)
Analysis Generated
Jun 19, 2026 - 17:33 vuln.today

DescriptionCVE.org

A heap-buffer-overflow read vulnerability was found in libaom, the reference AV1 codec implementation. A missing bounds check in the SVC (Scalable Video Coding) layer ID control function allows setting a spatial_layer_id exceeding the configured number of layers. This causes an out-of-bounds heap read of approximately 40,728 bytes when computing a layer context array index. An attacker who can influence SVC encoder parameters in a network-facing service could exploit this for information disclosure (heap content leak) or denial of service (segmentation fault from hitting unmapped memory).

AnalysisAI

Out-of-bounds heap read in libaom's SVC layer ID control function allows remote attackers to leak approximately 40,728 bytes of heap memory or crash AV1 encoder processes by supplying a spatial_layer_id value exceeding the configured number of scalable video coding layers. The flaw affects network-facing services that pass attacker-influenced SVC encoder parameters into the reference AV1 codec, enabling information disclosure or denial of service. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify AV1/SVC-enabled service
Delivery
Submit stream with crafted spatial_layer_id
Exploit
Trigger missing bounds check in SVC control
Execution
Out-of-bounds heap read of ~40KB
Impact
Leak heap contents or crash encoder process

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target application embeds libaom's AV1 encoder with Scalable Video Coding enabled and exposes the SVC layer ID control parameters (specifically spatial_layer_id) to attacker-influenced input - typical examples are WebRTC SFUs, cloud transcoders, and browser encoder pipelines accepting remote stream configuration. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H rates this 7.1 (High), driven by network reach, low complexity, no privileges, and high availability impact, but tempered by UI:R and only low confidentiality impact - consistent with an OOB read that crashes the process or leaks a bounded heap window rather than enabling RCE. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker connects to a network-facing AV1 transcoding or WebRTC service that exposes SVC encoder parameters (directly via API or indirectly via an SDP/RTP control channel) and submits a spatial_layer_id larger than the configured number of spatial layers. The vulnerable control function indexes the layer context array past its bounds, returning ~40,728 bytes of adjacent heap memory in encoder telemetry/output or, more commonly, dereferencing unmapped memory and crashing the worker process, yielding either a heap-content leak or a reliable denial of service. …
Remediation Upstream fix available (commit a93ba0ffaa on aomedia.googlesource.com); released patched libaom version not independently confirmed from the supplied data, so consumers should track the next libaom point release or pick up the patched package from their distribution (see access.redhat.com/security/cve/CVE-2026-56210 and Red Hat Bugzilla 2490801 for RHEL builds, and the Chromium issue 503975732 for browser-channel uptake). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all systems running libaom and document which services accept remote video encoding parameters with SVC features enabled. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Important
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Affected
SUSE Linux Enterprise Module for Basesystem 15 SP7 Affected

Share

EUVD-2026-38046 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy