Description
A remote code execution vulnerability was found in libaom, the reference AV1 codec implementation. Insufficient bounds validation in the AV1 encoder's SVC (Scalable Video Coding) layer ID control allows an attacker to supply crafted video frame pixels that overlap with internal encoder layer context structures. In fork-based video processing services, an attacker can use this to hijack the cyclic refresh map pointer, brute-force the process base address via a crash oracle, and redirect control flow to achieve arbitrary command execution. Exploitation requires the target service to use libaom with SVC encoding enabled and accept attacker-supplied video frames.
Published: 2026-06-19
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in libaom’s handling of the SVC layer ID allows an attacker to supply crafted video frame pixels that overlap with internal encoder context structures. This overlap can hijack the cyclic refresh map pointer, allowing an attacker to brute‑force the process base address via a crash oracle and redirect the encoder’s control flow to execute arbitrary code. The vulnerability can lead to full remote code execution on the host running the vulnerable encoder.

Affected Systems

Red Hat Enterprise Linux 10, Red Hat Enterprise Linux 9, Red Hat Enterprise Linux AI 3, and Red Hat Hardened Images are affected. No specific impacted versions are listed in the CVE data, so all current releases that use libaom with SVC encoding may be vulnerable.

Risk and Exploitability

The CVSS score of 7.1 indicates a high impact risk. Although EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, the flaw’s exploitation requires an attacker to send maliciously crafted frames to a service that uses libaom SVC encoding. The likely vector is a remote network‑based video processing service that accepts untrusted input. Because the attack requires only the ability to supply frames, it can be performed from an unprivileged remote host, making it a significant threat for exposed encoding services.

Generated by OpenCVE AI on June 19, 2026 at 20:27 UTC.

Remediation

Vendor Workaround

There is no complete mitigation for this vulnerability. The following measures can reduce risk: 1. If using libaom as a standalone encoder in a fork-based service, validate all SVC layer parameters (spatial_layer_id, temporal_layer_id) against configured bounds before passing them to the encoder API. 2. Avoid fork-based architectures for encoding services that accept untrusted input. Use thread-based or container-isolated workers instead, which prevent crash oracle attacks. 3. Restrict access to encoding services to trusted clients only. Do not expose SVC encoder configuration or frame submission to untrusted network input. 4. For Firefox and Thunderbird, ensure browsers are updated to versions that include the patched libaom (v3.14.0 or later). 5. Enable all available exploit mitigations (ASLR, PIE, stack canaries, CFI) on encoding service binaries.

OpenCVE Recommended Actions

  • Apply any vendor‑issued patch for libaom (e.g., upgrade to a patched version) as soon as it becomes available.
  • Validate all SVC layer parameters (spatial_layer_id, temporal_layer_id) against configured bounds before calling the encoder API in any fork‑based service.
  • Re‑architect encoding services to avoid fork‑based designs; use thread‑based or container‑isolated workers to prevent crash‑oracle attacks.
  • Restrict access to encoding services to trusted clients only; do not expose encoder configuration or frame submission interfaces to untrusted networks.
  • For Firefox and Thunderbird users, install browser updates that contain the patched libaom (v3.14.0 or later).
  • Enable all available exploit mitigations (ASLR, PIE, stack canaries, CFI) on binaries that invoke libaom.

Generated by OpenCVE AI on June 19, 2026 at 20:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description A remote code execution vulnerability was found in libaom, the reference AV1 codec implementation. Insufficient bounds validation in the AV1 encoder's SVC (Scalable Video Coding) layer ID control allows an attacker to supply crafted video frame pixels that overlap with internal encoder layer context structures. In fork-based video processing services, an attacker can use this to hijack the cyclic refresh map pointer, brute-force the process base address via a crash oracle, and redirect control flow to achieve arbitrary command execution. Exploitation requires the target service to use libaom with SVC encoding enabled and accept attacker-supplied video frames.
Title Libaom: libaom: remote code execution via svc layer context handling with attacker-controlled frames
First Time appeared Redhat
Redhat enterprise Linux
Redhat enterprise Linux Ai
Redhat hummingbird
Weaknesses CWE-787
CPEs cpe:/a:redhat:enterprise_linux_ai:3
cpe:/a:redhat:hummingbird:1
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
Redhat enterprise Linux Ai
Redhat hummingbird
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H'}

Subscriptions

Redhat Enterprise Linux Enterprise Linux Ai Hummingbird
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-06-19T17:47:00.659Z

Reserved: 2026-06-19T15:50:16.801Z

Link: CVE-2026-56211

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T20:30:04Z

Weaknesses