Impact
An arbitrary address write vulnerability was identified in the libaom implementation of the AV1 codec. The flaw originates from a missing bounds check in the SVC (Scalable Video Coding) layer ID control function, allowing an attacker to inject an attacker-controlled pointer into the cyclic refresh map field through specially crafted image pixel values. The encoder subsequently writes roughly 1,200 bytes to this arbitrary address in a deterministic manner, granting direct memory corruption without requiring a separate information-leak step. Because of this overwrite, an attacker could trigger a denial of service or, if the memory layout permits, achieve code execution. This weakness is classified as CWE-787, reflecting an out-of-bounds write.
Affected Systems
The affected products span several Red Hat distributions that ship a vulnerable libaom library, including Red Hat Enterprise Linux 9, RHEL 10, Red Hat Enterprise Linux AI 3 and the Red Hat Hardened Images. Any system that exposes a libaom-based encoder with SVC enabled over the network is vulnerable. Additionally, popular applications that embed libaom, such as Firefox and Thunderbird, may be impacted if they bundle an older libaom (pre-3.14.0).
Risk and Exploitability
The CVSS score of 7.1 indicates a medium-high severity, while the unspecified EPSS score and absence from the CISA KEV catalog suggest that current exploitation activity is limited or not publicly known. The attack vector requires the attacker to supply specially crafted frames to a publicly accessible encoding service, making remote exploitation possible against exposed services but not against isolated or internal deployments. Mitigation steps provided by Red Hat recommend validating layer identifiers, restricting untrusted access, and applying ASLR, stack canaries and other hardening mechanisms, but the most effective defense remains installing the patched libaom version.
OpenCVE Enrichment