Description
An arbitrary address write vulnerability was found in libaom, the reference AV1 codec implementation. A missing bounds check in the SVC (Scalable Video Coding) layer ID control function allows an attacker to inject an arbitrary pointer into the cyclic refresh map field via crafted image pixel values. The encoder then writes approximately 1,200 bytes at the attacker-controlled address. This is fully deterministic and does not require a separate information leak. An attacker who can supply frames to a network-facing libaom encoder with SVC enabled could exploit this for denial of service or potential code execution.
Published: 2026-06-19
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An arbitrary address write vulnerability was identified in the libaom implementation of the AV1 codec. The flaw originates from a missing bounds check in the SVC (Scalable Video Coding) layer ID control function, allowing an attacker to inject an attacker-controlled pointer into the cyclic refresh map field through specially crafted image pixel values. The encoder subsequently writes roughly 1,200 bytes to this arbitrary address in a deterministic manner, granting direct memory corruption without requiring a separate information-leak step. Because of this overwrite, an attacker could trigger a denial of service or, if the memory layout permits, achieve code execution. This weakness is classified as CWE-787, reflecting an out-of-bounds write.

Affected Systems

The affected products span several Red Hat distributions that ship a vulnerable libaom library, including Red Hat Enterprise Linux 9, RHEL 10, Red Hat Enterprise Linux AI 3 and the Red Hat Hardened Images. Any system that exposes a libaom-based encoder with SVC enabled over the network is vulnerable. Additionally, popular applications that embed libaom, such as Firefox and Thunderbird, may be impacted if they bundle an older libaom (pre-3.14.0).

Risk and Exploitability

The CVSS score of 7.1 indicates a medium-high severity, while the unspecified EPSS score and absence from the CISA KEV catalog suggest that current exploitation activity is limited or not publicly known. The attack vector requires the attacker to supply specially crafted frames to a publicly accessible encoding service, making remote exploitation possible against exposed services but not against isolated or internal deployments. Mitigation steps provided by Red Hat recommend validating layer identifiers, restricting untrusted access, and applying ASLR, stack canaries and other hardening mechanisms, but the most effective defense remains installing the patched libaom version.

Generated by OpenCVE AI on June 19, 2026 at 20:55 UTC.

Remediation

Vendor Workaround

There is no complete mitigation for this vulnerability. The following measures can reduce risk: 1. If using libaom as a standalone encoder library with SVC enabled, validate that spatial_layer_id and temporal_layer_id values are within the configured range [0, configured_layers) before calling aom_codec_control with AV1E_SET_SVC_LAYER_ID. 2. Restrict access to encoding services to trusted clients only. Do not expose libaom SVC encoder configuration to untrusted input. 3. For Firefox and Thunderbird, ensure browsers are updated to versions that include the patched libaom (v3.14.0 or later). 4. Deploy encoding services with ASLR, stack canaries, and other exploit mitigation technologies enabled.


OpenCVE Recommended Actions

  • Upgrade libaom to a version that includes the fix (e.g., v3.14.0 or later, including RHEL updates).
  • Validate spatial_layer_id and temporal_layer_id values before calling aom_codec_control with AV1E_SET_SVC_LAYER_ID.
  • Restrict access to any libaom-based encoding services to trusted clients only and do not expose SVC encoder configuration to untrusted input.
  • For Firefox and Thunderbird, ensure browsers are updated to versions that include the patched libaom (v3.14.0 or later).
  • Deploy encoding services with ASLR, stack canaries and other exploitation mitigations enabled.

Generated by OpenCVE AI on June 19, 2026 at 20:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Jul 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat ai Inference Server
Redhat openshift Ai
CPEs cpe:/a:redhat:ai_inference_server:3
cpe:/a:redhat:openshift_ai
Vendors & Products Redhat ai Inference Server
Redhat openshift Ai

Mon, 29 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 29 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
References

Wed, 24 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Aomedia
Aomedia libaom
Redhat hardened Images
Vendors & Products Aomedia
Aomedia libaom
Redhat hardened Images

Mon, 22 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sat, 20 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Important


Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description An arbitrary address write vulnerability was found in libaom, the reference AV1 codec implementation. A missing bounds check in the SVC (Scalable Video Coding) layer ID control function allows an attacker to inject an arbitrary pointer into the cyclic refresh map field via crafted image pixel values. The encoder then writes approximately 1,200 bytes at the attacker-controlled address. This is fully deterministic and does not require a separate information leak. An attacker who can supply frames to a network-facing libaom encoder with SVC enabled could exploit this for denial of service or potential code execution.
Title Libaom: libaom: arbitrary address write via svc layer context oob and cyclic refresh map pointer hijack
First Time appeared Redhat
Redhat enterprise Linux
Redhat enterprise Linux Ai
Redhat hummingbird
Weaknesses CWE-787
CPEs cpe:/a:redhat:enterprise_linux_ai:3
cpe:/a:redhat:hummingbird:1
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
Redhat enterprise Linux Ai
Redhat hummingbird
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H'}


Subscriptions

Aomedia Libaom
Redhat Ai Inference Server Enterprise Linux Enterprise Linux Ai Hardened Images Hummingbird Openshift Ai
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-07-08T12:05:48.650Z

Reserved: 2026-06-19T15:50:16.801Z

Link: CVE-2026-56209

cve-icon Vulnrichment

Updated: 2026-07-08T12:05:48.650Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-19T00:00:00Z

Links: CVE-2026-56209 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T20:41:44Z

Weaknesses