Description
A use-after-free vulnerability was found in FFmpeg's RASC video decoder. The decode_move() function initializes a read pointer into a decompressed buffer, but a subsequent reallocation of that same buffer during move-table processing leaves the pointer dangling. An attacker could exploit this by providing a specially crafted AVI file containing a malicious RASC video stream. When a user opens or plays the file, the decoder reads from freed heap memory, which could lead to a denial of service (crash).
Published: 2026-06-19
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free flaw exists in FFmpeg’s RASC video decoder, specifically in the decode_move() function. During decoding, a pointer is set into a decompressed buffer and that buffer is reallocated later, leaving the pointer dangling. This weakness, identified as CWE‑416, can lead to the decoder reading freed heap memory, resulting in a crash. The vulnerability is therefore a denial‑of‑service in nature and does not provide an attacker with code execution capabilities.

Affected Systems

Red Hat Enterprise Linux AI version 3 and Red Hat OpenShift AI are the products listed as affected. The vulnerability is tied to the FFmpeg component of these distributions; no specific sub‑versions are enumerated in the advisory.

Risk and Exploitability

The CVSS score of 6.5 places the issue in the moderate severity band. Because an EPSS score is not available, the exact likelihood of exploitation cannot be quantified, but the lack of a known exploit and exclusion from the CISA KEV catalog suggest current threat activity is low. An attacker must supply a crafted AVI file containing a malicious RASC video stream, and a user must open or play that file for the denial‑of‑service to occur. The attack vector is therefore local or remote delivery of a malicious file rather than a network‑based exploit. Overall, the risk is moderate but warranting timely remediation or mitigation.

Generated by OpenCVE AI on June 19, 2026 at 12:20 UTC.

Remediation

Vendor Workaround

If the RASC decoder is not needed, it can be disabled at build time with --disable-decoder=rasc. There is no runtime workaround that disables the decoder without rebuilding FFmpeg.

OpenCVE Recommended Actions

  • Rebuild or install FFmpeg with the RASC decoder disabled by adding "--disable-decoder=rasc" to the configure options and compiling the binary.
  • Stay alert for an official security patch from Red Hat and replace the affected FFmpeg package as soon as it is released.
  • Configure applications that use FFmpeg to avoid processing AVI files that might contain RASC streams, or otherwise validate input before feeding it into the decoder, to mitigate the risk of accidental exploitation.

Generated by OpenCVE AI on June 19, 2026 at 12:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Description A use-after-free vulnerability was found in FFmpeg's RASC video decoder. The decode_move() function initializes a read pointer into a decompressed buffer, but a subsequent reallocation of that same buffer during move-table processing leaves the pointer dangling. An attacker could exploit this by providing a specially crafted AVI file containing a malicious RASC video stream. When a user opens or plays the file, the decoder reads from freed heap memory, which could lead to a denial of service (crash).
Title Ffmpeg: ffmpeg: heap use-after-free read in rasc decoder decode_move()
First Time appeared Redhat
Redhat enterprise Linux Ai
Redhat openshift Ai
Weaknesses CWE-416
CPEs cpe:/a:redhat:enterprise_linux_ai:3
cpe:/a:redhat:openshift_ai
Vendors & Products Redhat
Redhat enterprise Linux Ai
Redhat openshift Ai
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Redhat Enterprise Linux Ai Openshift Ai
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-06-19T11:00:32.073Z

Reserved: 2026-06-19T10:26:41.217Z

Link: CVE-2026-12706

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T12:30:06Z

Weaknesses