Skip to main content

libaom EUVDEUVD-2026-38047

| CVE-2026-56211 HIGH
Out-of-bounds Write (CWE-787)
2026-06-19 secalert@redhat.com GHSA-qr4p-j2pf-4w4x
7.1
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
7.1 HIGH
AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H
vuln.today AI
7.1 HIGH

Reachable over network with no auth but needs victim-side frame processing (UI:R) and a non-trivial crash-oracle brute force plus SVC/fork preconditions (AC:H); RCE yields high I/A and limited info leak (C:L).

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
7.5 HIGH
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Red Hat
7.1 HIGH
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Updated
Jun 19, 2026 - 18:58 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 19, 2026 - 18:58 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 19, 2026 - 18:52 vuln.today
cvss_changed
CVSS changed
Jun 19, 2026 - 18:52 NVD
8.1 (HIGH) 7.1 (HIGH)
Analysis Generated
Jun 19, 2026 - 17:35 vuln.today

DescriptionCVE.org

A remote code execution vulnerability was found in libaom, the reference AV1 codec implementation. Insufficient bounds validation in the AV1 encoder's SVC (Scalable Video Coding) layer ID control allows an attacker to supply crafted video frame pixels that overlap with internal encoder layer context structures. In fork-based video processing services, an attacker can use this to hijack the cyclic refresh map pointer, brute-force the process base address via a crash oracle, and redirect control flow to achieve arbitrary command execution. Exploitation requires the target service to use libaom with SVC encoding enabled and accept attacker-supplied video frames.

AnalysisAI

Remote code execution in libaom (reference AV1 codec) is possible when services use the SVC encoder with attacker-supplied frames, allowing crafted pixel data to overlap encoder layer context structures and hijack the cyclic refresh map pointer. The flaw chains a heap out-of-bounds write (CWE-787) with a crash-oracle ASLR bypass to redirect control flow in fork-based video processing services. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify fork-based AV1 encoder accepting frames
Delivery
Submit crafted SVC-layer video frame
Exploit
Trigger OOB write into layer context
Install
Crash children to brute-force base address
C2
Overwrite cyclic refresh map pointer
Execute
Hijack control flow on next encode
Impact
Execute arbitrary commands as encoder service

Vulnerability AssessmentAI

Exploitation The target service must (1) link libaom as its AV1 encoder, (2) have SVC (Scalable Video Coding) enabled on the encode path, (3) accept attacker-controlled raw video frame pixels - not just pre-encoded bitstreams routed through the decoder - and (4) be deployed in a fork-based worker model so child crashes leak address information back to the attacker for the ASLR brute force. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H reflects the real shape of the bug: reachable over the network through any service that ingests user video, but requiring high attack complexity (the crash-oracle ASLR brute force and the fork-based deployment) and at least nominal user interaction (submitting a frame). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker uploads or streams a crafted AV1 source video to a public transcoding or video-conferencing service whose backend runs a fork-based libaom encoder with SVC enabled. The malicious pixel layout overflows into the SVC layer context, repeatedly crashing child processes to leak the encoder process's base address, and then a final frame hijacks the cyclic refresh map pointer to redirect execution and run attacker commands as the encoder service user. …
Remediation Upstream fix available (commit a93ba0ffaa); released patched version not independently confirmed - rebuild or upgrade libaom to a release that includes aomedia commit a93ba0ffaa (https://aomedia.googlesource.com/aom/+/a93ba0ffaa) and pull the corresponding distro packages once published (track Red Hat at https://access.redhat.com/security/cve/CVE-2026-56211 and Bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=2490802, and Chromium at https://issues.chromium.org/issues/503993985). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: identify all systems running libaom and map SVC encoder usage and exposure to untrusted input. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Important
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Affected
SUSE Linux Enterprise Module for Basesystem 15 SP7 Affected

Share

EUVD-2026-38047 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy