Description
A heap-buffer-overflow read vulnerability was found in libaom, the reference AV1 codec implementation. A missing bounds check in the SVC (Scalable Video Coding) layer ID control function allows setting a spatial_layer_id exceeding the configured number of layers. This causes an out-of-bounds heap read of approximately 40,728 bytes when computing a layer context array index. An attacker who can influence SVC encoder parameters in a network-facing service could exploit this for information disclosure (heap content leak) or denial of service (segmentation fault from hitting unmapped memory).
Published: 2026-06-19
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A heap‑buffer‑overflow read vulnerability exists in the libaom AV1 codec implementation. The flaw is caused by a missing bounds check in the SVC layer‑ID control function, allowing an attacker to set a spatial_layer_id beyond the number of configured layers. This results in an out‑of‑bounds read of roughly 40,728 bytes when the layer context array index is computed, potentially leaking heap data or causing a segmentation fault that brings the service down. The weakness is categorized as CWE‑125.

Affected Systems

The affected systems are Red Hat Enterprise Linux 9, Red Hat Enterprise Linux 10, Red Hat Enterprise Linux AI 3, and Red Hat Hardened Images. The CNA data does not specify a particular version of libaom that is vulnerable, so any installation that contains libaom with SVC enabled could be impacted.

Risk and Exploitability

The CVSS score of 7.1 indicates a medium severity. No EPSS score is available, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires an attacker to influence SVC encoder parameters in a network‑exposed service. If successful, the missing bounds check can read up to ~40 KB of heap data for information disclosure, or trigger a segmentation fault that causes denial of service. Because no official patch exists, the risk depends on whether libaom with SVC is deployed and exposed over the network, but the lack of bounds checking makes exploitation straightforward for a capable attacker.

Generated by OpenCVE AI on June 19, 2026 at 21:18 UTC.

Remediation

Vendor Workaround

There is no complete mitigation for this vulnerability. The following measures can reduce risk: 1. If using libaom as a standalone encoder library with SVC enabled, validate that spatial_layer_id does not exceed the number of configured spatial layers before calling aom_codec_control with AV1E_SET_SVC_LAYER_ID. 2. Restrict access to encoding services to trusted clients only. 3. For Firefox and Thunderbird, ensure browsers are updated to versions that include the patched libaom (v3.14.0 or later). 4. Monitor encoding service processes for unexpected crashes (segfaults) that may indicate exploitation attempts.


OpenCVE Recommended Actions

  • Validate the spatial_layer_id before calling aom_codec_control with AV1E_SET_SVC_LAYER_ID when using libaom as a standalone encoder library with SVC enabled
  • Restrict access to encoding services to trusted clients only
  • Update browsers such as Firefox and Thunderbird to versions that contain the patched libaom (v3.14.0 or later)
  • Monitor encoding service processes for unexpected crashes (segfaults) that may indicate exploitation attempts
  • If no patch is available, consider disabling SVC in libaom or moving to a different encoder until a vendor fix is released

Generated by OpenCVE AI on June 19, 2026 at 21:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Jul 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat ai Inference Server
Redhat openshift Ai
CPEs cpe:/a:redhat:ai_inference_server:3
cpe:/a:redhat:openshift_ai
Vendors & Products Redhat ai Inference Server
Redhat openshift Ai

Mon, 29 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
References

Wed, 24 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Aomedia
Aomedia libaom
Redhat hardened Images
Vendors & Products Aomedia
Aomedia libaom
Redhat hardened Images

Mon, 22 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sat, 20 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Important


Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description A heap-buffer-overflow read vulnerability was found in libaom, the reference AV1 codec implementation. A missing bounds check in the SVC (Scalable Video Coding) layer ID control function allows setting a spatial_layer_id exceeding the configured number of layers. This causes an out-of-bounds heap read of approximately 40,728 bytes when computing a layer context array index. An attacker who can influence SVC encoder parameters in a network-facing service could exploit this for information disclosure (heap content leak) or denial of service (segmentation fault from hitting unmapped memory).
Title Libaom: libaom: heap-buffer-overflow read via missing bounds check in ctrl_set_layer_id
First Time appeared Redhat
Redhat enterprise Linux
Redhat enterprise Linux Ai
Redhat hummingbird
Weaknesses CWE-125
CPEs cpe:/a:redhat:enterprise_linux_ai:3
cpe:/a:redhat:hummingbird:1
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
Redhat enterprise Linux Ai
Redhat hummingbird
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H'}


Subscriptions

Aomedia Libaom
Redhat Ai Inference Server Enterprise Linux Enterprise Linux Ai Hardened Images Hummingbird Openshift Ai
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-07-08T12:05:46.824Z

Reserved: 2026-06-19T15:50:16.801Z

Link: CVE-2026-56210

cve-icon Vulnrichment

Updated: 2026-07-08T12:05:46.824Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-19T00:00:00Z

Links: CVE-2026-56210 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T20:41:42Z

Weaknesses