Description
FFmpeg's RASC video decoder (decode_dlta in libavcodec/rasc.c) performs 32-bit reads and writes at the row cursor before the NEXT_LINE row-boundary check and validates the DLTA region in pixel rather than byte units, so a DLTA run on a PAL8 frame can access several bytes past the row allocation. A crafted media stream using the RASC FourCC, decoded by libavcodec, triggers a bitstream-controlled out-of-bounds heap write and adjacent out-of-bounds read, leading to memory corruption.
Published: 2026-06-28
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

FFmpeg's RASC video decoder contains a flaw that allows a bitstream-controlled, out-of-bounds heap write and adjacent read. The decoder performs 32-bit reads and writes at the row cursor before the next line boundary check and validates the DLTA region in pixel units rather than bytes, meaning that a DLTA run on a PAL8 frame can access bytes beyond the row allocation. This corrupts memory and can lead to arbitrary code execution or a denial-of-service.

Affected Systems

Any deployment that employs the FFmpeg library with an unpatched RASC decoder is impacted. The CVE does not exhibit explicit version constraints, but the problem exists in all releases that contain the vulnerable code until a patch is applied. Systems that accept media streams with the RASC FourCC, such as AVI or MKV containers, are susceptible because the vulnerability is triggered by a crafted media file.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity; the EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw by delivering a malicious media file that contains the RASC FourCC and a specially crafted DLTA region, leading to memory corruption. The impact could be leveraged for elevated privilege execution if the decoding process runs with sufficient rights, although no public exploit is known at present.

Generated by OpenCVE AI on June 28, 2026 at 03:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FFmpeg to the latest release that includes the RASC decoder patch.
  • If an upgrade is not viable, disable or filter the RASC FourCC decoder so that only trusted media files are processed.
  • Validate media streams for proper FourCC and frame boundaries before passing them to FFmpeg to reduce the chance of boundary overflow.

Generated by OpenCVE AI on June 28, 2026 at 03:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 28 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
Description FFmpeg's RASC video decoder (decode_dlta in libavcodec/rasc.c) performs 32-bit reads and writes at the row cursor before the NEXT_LINE row-boundary check and validates the DLTA region in pixel rather than byte units, so a DLTA run on a PAL8 frame can access several bytes past the row allocation. A crafted media stream using the RASC FourCC, decoded by libavcodec, triggers a bitstream-controlled out-of-bounds heap write and adjacent out-of-bounds read, leading to memory corruption.
Title FFmpeg - Out-of-Bounds Write in RASC Decoder decode_dlta()
First Time appeared Ffmpeg
Ffmpeg ffmpeg
Weaknesses CWE-787
CPEs cpe:2.3:a:ffmpeg:ffmpeg:*:*:*:*:*:*:*:*
Vendors & Products Ffmpeg
Ffmpeg ffmpeg
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Ffmpeg Ffmpeg
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-28T01:32:52.900Z

Reserved: 2026-06-28T00:55:25.425Z

Link: CVE-2026-58049

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T03:30:05Z

Weaknesses