Impact
A heap‑buffer‑overflow read vulnerability exists in the libaom AV1 codec implementation. The flaw is caused by a missing bounds check in the SVC layer‑ID control function, allowing an attacker to set a spatial_layer_id beyond the number of configured layers. This results in an out‑of‑bounds read of roughly 40,728 bytes when the layer context array index is computed, potentially leaking heap data or causing a segmentation fault that brings the service down. The weakness is categorized as CWE‑125.
Affected Systems
The affected systems are Red Hat Enterprise Linux 9, Red Hat Enterprise Linux 10, Red Hat Enterprise Linux AI 3, and Red Hat Hardened Images. The CNA data does not specify a particular version of libaom that is vulnerable, so any installation that contains libaom with SVC enabled could be impacted.
Risk and Exploitability
The CVSS score of 7.1 indicates a medium severity. No EPSS score is available, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires an attacker to influence SVC encoder parameters in a network‑exposed service. If successful, the missing bounds check can read up to ~40 KB of heap data for information disclosure, or trigger a segmentation fault that causes denial of service. Because no official patch exists, the risk depends on whether libaom with SVC is deployed and exposed over the network, but the lack of bounds checking makes exploitation straightforward for a capable attacker.
OpenCVE Enrichment