Description
A heap buffer overflow vulnerability was found in libaom, the reference AV1 codec implementation. A flaw in the AV1 encoder's Look-Ahead Processing (LAP) mode causes the first-pass stats ring buffer wrap-around guard to be bypassed when g_lag_in_frames is set to 1 or higher. This results in a 232-byte out-of-bounds write on every encoded frame after the second, corrupting adjacent heap objects. An attacker who can influence encoder configuration in a transcoding service or WebRTC session could exploit this to cause a denial of service (process crash) or potentially achieve code execution.
Published: 2026-06-19
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in libaom’s AV1 encoder Look‑Ahead Processing bypasses a ring buffer guard when the configuration parameter g_lag_in_frames is set to 1 or higher. Each encoded frame after the second triggers a 232‑byte out‑of‑bounds write that corrupts adjacent heap objects. The weakness is a classic heap buffer overflow (CWE‑122) that can lead to a process crash for denial of service or, under the right circumstances, arbitrary code execution. The CVSS score of 7.6 indicates high risk, though no EPSS data is available and the vulnerability is not listed in the CISA KEV catalog.

Affected Systems

Affected products include Red Hat Enterprise Linux 9 and 10, Red Hat Enterprise Linux AI 3, Red Hat Hardened Images, and the Hummingbird image repository, all of which embed libaom in packaged form. Exact version numbers are not provided, but any distribution that ships libaom without the v3.14.0+ patch is impacted.

Risk and Exploitability

Exploitation requires an attacker to influence the encoder configuration of a transcoding service or WebRTC session. By supplying g_lag_in_frames values of 1 or higher with untrusted input, an attacker can cause the overflow and trigger a denial of service or, if conditions allow, convert the heap corruption into code execution. The lack of EPSS data suggests that exploitation is feasible but may not be widespread yet; however, the high CVSS score and the potential for code execution warrant prompt remediation.

Generated by OpenCVE AI on June 19, 2026 at 20:54 UTC.

Remediation

Vendor Workaround

There is no complete mitigation for this vulnerability. The following measures can reduce risk: 1. If using libaom as a standalone encoder library, avoid setting g_lag_in_frames to values >= 1 when processing untrusted input, or validate all encoder configuration parameters before passing them to the libaom API. 2. For Firefox and Thunderbird, ensure browsers are updated to versions that include the patched libaom (v3.14.0 or later). 3. For standalone libaom deployments (RHEL-AI, Hummingbird), restrict access to the encoding service to trusted clients only. 4. Apply network-level access controls to limit who can submit video for encoding.


OpenCVE Recommended Actions

  • Update libaom to version 3.14.0 or later, which contains a patch that restores the buffer guard in LAP mode
  • For Firefox and Thunderbird, ensure browsers are updated to versions that include the patched libaom (v3.14.0 or later)
  • If libaom is used as a standalone encoder, do not set g_lag_in_frames to 1 or higher when processing untrusted input; validate or sanitize all configuration parameters before passing them to the libaom API
  • Restrict access to any standalone libaom encoding service so that only trusted clients can submit video for encoding
  • Apply network‑level access controls to limit submission of video data to the encoding service

Generated by OpenCVE AI on June 19, 2026 at 20:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Jul 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat ai Inference Server
Redhat openshift Ai
CPEs cpe:/a:redhat:ai_inference_server:3
cpe:/a:redhat:openshift_ai
Vendors & Products Redhat ai Inference Server
Redhat openshift Ai

Mon, 29 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
References

Thu, 25 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Aomedia
Aomedia libaom
Redhat hardened Images
Vendors & Products Aomedia
Aomedia libaom
Redhat hardened Images

Mon, 22 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sat, 20 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Important


Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description A heap buffer overflow vulnerability was found in libaom, the reference AV1 codec implementation. A flaw in the AV1 encoder's Look-Ahead Processing (LAP) mode causes the first-pass stats ring buffer wrap-around guard to be bypassed when g_lag_in_frames is set to 1 or higher. This results in a 232-byte out-of-bounds write on every encoded frame after the second, corrupting adjacent heap objects. An attacker who can influence encoder configuration in a transcoding service or WebRTC session could exploit this to cause a denial of service (process crash) or potentially achieve code execution.
Title Libaom: libaom: heap buffer overflow in av1 encoder first-pass stats buffer via lap mode
First Time appeared Redhat
Redhat enterprise Linux
Redhat enterprise Linux Ai
Redhat hummingbird
Weaknesses CWE-122
CPEs cpe:/a:redhat:enterprise_linux_ai:3
cpe:/a:redhat:hummingbird:1
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
Redhat enterprise Linux Ai
Redhat hummingbird
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H'}


Subscriptions

Aomedia Libaom
Redhat Ai Inference Server Enterprise Linux Enterprise Linux Ai Hardened Images Hummingbird Openshift Ai
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-07-08T12:05:47.123Z

Reserved: 2026-06-19T15:50:16.801Z

Link: CVE-2026-56208

cve-icon Vulnrichment

Updated: 2026-07-08T12:05:47.123Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-19T00:00:00Z

Links: CVE-2026-56208 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T20:41:43Z

Weaknesses
  • CWE-122

    Heap-based Buffer Overflow