RHSA-2026:30814
Vulnerability from csaf_redhat - Published: 2026-06-28 22:34 - Updated: 2026-06-30 04:20A heap buffer overflow vulnerability was found in libaom, the reference AV1 codec implementation. A flaw in the AV1 encoder's Look-Ahead Processing (LAP) mode causes the first-pass stats ring buffer wrap-around guard to be bypassed when g_lag_in_frames is set to 1 or higher. This results in a 232-byte out-of-bounds write on every encoded frame after the second, corrupting adjacent heap objects. An attacker who can influence encoder configuration in a transcoding service or WebRTC session could exploit this to cause a denial of service (process crash) or potentially achieve code execution.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:aom-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:aom-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:aom-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
An arbitrary address write vulnerability was found in libaom, the reference AV1 codec implementation. A missing bounds check in the SVC (Scalable Video Coding) layer ID control function allows an attacker to inject an arbitrary pointer into the cyclic refresh map field via crafted image pixel values. The encoder then writes approximately 1,200 bytes at the attacker-controlled address. This is fully deterministic and does not require a separate information leak. An attacker who can supply frames to a network-facing libaom encoder with SVC enabled could exploit this for denial of service or potential code execution.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:aom-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:aom-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:aom-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
A heap-buffer-overflow read vulnerability was found in libaom, the reference AV1 codec implementation. A missing bounds check in the SVC (Scalable Video Coding) layer ID control function allows setting a spatial_layer_id exceeding the configured number of layers. This causes an out-of-bounds heap read of approximately 40,728 bytes when computing a layer context array index. An attacker who can influence SVC encoder parameters in a network-facing service could exploit this for information disclosure (heap content leak) or denial of service (segmentation fault from hitting unmapped memory).
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:aom-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:aom-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:aom-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
A remote code execution vulnerability was found in libaom, the reference AV1 codec implementation. Insufficient bounds validation in the AV1 encoder's SVC (Scalable Video Coding) layer ID control allows an attacker to supply crafted video frame pixels that overlap with internal encoder layer context structures. In fork-based video processing services, an attacker can use this to hijack the cyclic refresh map pointer, brute-force the process base address via a crash oracle, and redirect control flow to achieve arbitrary command execution. Exploitation requires the target service to use libaom with SVC encoding enabled and accept attacker-supplied video frames.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:aom-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:aom-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:aom-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Red Hat Hardened Images RPMs is now available.",
"title": "Topic"
},
{
"category": "general",
"text": "This update includes the following RPMs:\n\naom:\n * aom-3.14.0-0.1.hum1 (aarch64, x86_64)\n * libaom-3.14.0-0.1.hum1 (aarch64, x86_64)\n * libaom-devel-3.14.0-0.1.hum1 (aarch64, x86_64)\n * libaom-devel-docs-3.14.0-0.1.hum1 (aarch64, x86_64)\n * aom-3.14.0-0.1.hum1.src (src)\n\nSecurity Fix(es):\n\naom:\n * CVE-2026-56208\n * CVE-2026-56209\n * CVE-2026-56210\n * CVE-2026-56211",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:30814",
"url": "https://access.redhat.com/errata/RHSA-2026:30814"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-56208",
"url": "https://access.redhat.com/security/cve/CVE-2026-56208"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-56209",
"url": "https://access.redhat.com/security/cve/CVE-2026-56209"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-56210",
"url": "https://access.redhat.com/security/cve/CVE-2026-56210"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-56211",
"url": "https://access.redhat.com/security/cve/CVE-2026-56211"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://images.redhat.com/",
"url": "https://images.redhat.com/"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_30814.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Hardened Images RPMs Security Update",
"tracking": {
"current_release_date": "2026-06-30T04:20:17+00:00",
"generator": {
"date": "2026-06-30T04:20:17+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.0"
}
},
"id": "RHSA-2026:30814",
"initial_release_date": "2026-06-28T22:34:27+00:00",
"revision_history": [
{
"date": "2026-06-28T22:34:27+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-06-28T22:35:21+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-30T04:20:17+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Hardened Images",
"product": {
"name": "Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:hummingbird:1"
}
}
}
],
"category": "product_family",
"name": "Red Hat Hardened Images"
},
{
"branches": [
{
"category": "product_version",
"name": "aom-main@aarch64",
"product": {
"name": "aom-main@aarch64",
"product_id": "aom-main@aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/aom@3.14.0-0.1.hum1?arch=aarch64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-aarch64-rpms"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "aom-main@src",
"product": {
"name": "aom-main@src",
"product_id": "aom-main@src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/aom@3.14.0-0.1.hum1?arch=src\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-source-rpms"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "aom-main@x86_64",
"product": {
"name": "aom-main@x86_64",
"product_id": "aom-main@x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/aom@3.14.0-0.1.hum1?arch=x86_64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
}
}
}
],
"category": "architecture",
"name": "x86_64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "aom-main@aarch64 as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:aom-main@aarch64"
},
"product_reference": "aom-main@aarch64",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "aom-main@src as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:aom-main@src"
},
"product_reference": "aom-main@src",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "aom-main@x86_64 as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:aom-main@x86_64"
},
"product_reference": "aom-main@x86_64",
"relates_to_product_reference": "Red Hat Hardened Images"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"The FuzzAnything Team"
],
"organization": "FuzzAnything"
}
],
"cve": "CVE-2026-56208",
"cwe": {
"id": "CWE-122",
"name": "Heap-based Buffer Overflow"
},
"discovery_date": "2026-06-19T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2490799"
}
],
"notes": [
{
"category": "description",
"text": "A heap buffer overflow vulnerability was found in libaom, the reference AV1 codec implementation. A flaw in the AV1 encoder\u0027s Look-Ahead Processing (LAP) mode causes the first-pass stats ring buffer wrap-around guard to be bypassed when g_lag_in_frames is set to 1 or higher. This results in a 232-byte out-of-bounds write on every encoded frame after the second, corrupting adjacent heap objects. An attacker who can influence encoder configuration in a transcoding service or WebRTC session could exploit this to cause a denial of service (process crash) or potentially achieve code execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "libaom: libaom: heap buffer overflow in AV1 encoder first-pass stats buffer via LAP mode",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated as Important severity because a heap buffer overflow with attacker-influenced data can cause reliable denial of service and potentially lead to code execution, though the attacker has only indirect control over the written values (encoder-computed statistics). In Red Hat products, libaom ships bundled within Firefox and Thunderbird as a statically-linked dependency used for AV1 decoding and WebRTC encoding. The vulnerable code path requires the encoder to be configured with g_lag_in_frames \u003e= 1 (Look-Ahead Processing mode). In Firefox\u0027s WebRTC implementation, the encoder configuration is controlled by the browser itself and not exposed to remote peers, which significantly limits the attack surface compared to standalone transcoding services. RHEL-AI 3.4 and Hummingbird 1 ship standalone libaom (aom) packages at versions within the affected range. Applications on those platforms that use the libaom encoder API with LAP mode and accept untrusted configuration input are vulnerable.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:aom-main@aarch64",
"Red Hat Hardened Images:aom-main@src",
"Red Hat Hardened Images:aom-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-56208"
},
{
"category": "external",
"summary": "RHBZ#2490799",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2490799"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-56208",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-56208"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-56208",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56208"
},
{
"category": "external",
"summary": "https://aomedia.googlesource.com/aom/+/243f8ae84b",
"url": "https://aomedia.googlesource.com/aom/+/243f8ae84b"
},
{
"category": "external",
"summary": "https://issues.chromium.org/issues/504317456",
"url": "https://issues.chromium.org/issues/504317456"
}
],
"release_date": "2026-06-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-28T22:34:27+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:aom-main@aarch64",
"Red Hat Hardened Images:aom-main@src",
"Red Hat Hardened Images:aom-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30814"
},
{
"category": "workaround",
"details": "There is no complete mitigation for this vulnerability. The following measures can reduce risk:\n\n1. If using libaom as a standalone encoder library, avoid setting g_lag_in_frames to values \u003e= 1 when processing untrusted input, or validate all encoder configuration parameters before passing them to the libaom API.\n2. For Firefox and Thunderbird, ensure browsers are updated to versions that include the patched libaom (v3.14.0 or later).\n3. For standalone libaom deployments (RHEL-AI, Hummingbird), restrict access to the encoding service to trusted clients only.\n4. Apply network-level access controls to limit who can submit video for encoding.",
"product_ids": [
"Red Hat Hardened Images:aom-main@aarch64",
"Red Hat Hardened Images:aom-main@src",
"Red Hat Hardened Images:aom-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:aom-main@aarch64",
"Red Hat Hardened Images:aom-main@src",
"Red Hat Hardened Images:aom-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "libaom: libaom: heap buffer overflow in AV1 encoder first-pass stats buffer via LAP mode"
},
{
"acknowledgments": [
{
"names": [
"The FuzzAnything Team"
],
"organization": "FuzzAnything"
}
],
"cve": "CVE-2026-56209",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2026-06-19T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2490800"
}
],
"notes": [
{
"category": "description",
"text": "An arbitrary address write vulnerability was found in libaom, the reference AV1 codec implementation. A missing bounds check in the SVC (Scalable Video Coding) layer ID control function allows an attacker to inject an arbitrary pointer into the cyclic refresh map field via crafted image pixel values. The encoder then writes approximately 1,200 bytes at the attacker-controlled address. This is fully deterministic and does not require a separate information leak. An attacker who can supply frames to a network-facing libaom encoder with SVC enabled could exploit this for denial of service or potential code execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "libaom: libaom: arbitrary address write via SVC layer context OOB and cyclic refresh map pointer hijack",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated as Critical severity because it provides a fully deterministic arbitrary address write primitive that requires no information leak and is self-bootstrapping from attacker-controlled pixel values. The 1,200-byte write at an attacker-chosen address is sufficient for control flow hijacking. In Red Hat products, libaom ships bundled within Firefox and Thunderbird. The vulnerable code path requires the SVC (Scalable Video Coding) encoder feature to be enabled and the attacker to control both the layer_id configuration and the image frame pixel values. In Firefox\u0027s WebRTC implementation, SVC encoding parameters and frame submission are managed internally by the browser; a remote peer cannot directly set arbitrary layer IDs or inject pixel values into the local encoder. This significantly reduces exploitability in the browser context. RHEL-AI 3.4 (aom 3.12.0) and Hummingbird 1 (aom 3.13.3) ship standalone libaom packages within the affected version range. Services on those platforms that expose the SVC encoder API with attacker-controlled layer configuration and frame input are at highest risk.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:aom-main@aarch64",
"Red Hat Hardened Images:aom-main@src",
"Red Hat Hardened Images:aom-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-56209"
},
{
"category": "external",
"summary": "RHBZ#2490800",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2490800"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-56209",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-56209"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-56209",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56209"
},
{
"category": "external",
"summary": "https://aomedia.googlesource.com/aom/+/a93ba0ffaa",
"url": "https://aomedia.googlesource.com/aom/+/a93ba0ffaa"
},
{
"category": "external",
"summary": "https://issues.chromium.org/issues/503993984",
"url": "https://issues.chromium.org/issues/503993984"
}
],
"release_date": "2026-06-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-28T22:34:27+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:aom-main@aarch64",
"Red Hat Hardened Images:aom-main@src",
"Red Hat Hardened Images:aom-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30814"
},
{
"category": "workaround",
"details": "There is no complete mitigation for this vulnerability. The following measures can reduce risk:\n\n1. If using libaom as a standalone encoder library with SVC enabled, validate that spatial_layer_id and temporal_layer_id values are within the configured range [0, configured_layers) before calling aom_codec_control with AV1E_SET_SVC_LAYER_ID.\n2. Restrict access to encoding services to trusted clients only. Do not expose libaom SVC encoder configuration to untrusted input.\n3. For Firefox and Thunderbird, ensure browsers are updated to versions that include the patched libaom (v3.14.0 or later).\n4. Deploy encoding services with ASLR, stack canaries, and other exploit mitigation technologies enabled.",
"product_ids": [
"Red Hat Hardened Images:aom-main@aarch64",
"Red Hat Hardened Images:aom-main@src",
"Red Hat Hardened Images:aom-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:aom-main@aarch64",
"Red Hat Hardened Images:aom-main@src",
"Red Hat Hardened Images:aom-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "libaom: libaom: arbitrary address write via SVC layer context OOB and cyclic refresh map pointer hijack"
},
{
"acknowledgments": [
{
"names": [
"The FuzzAnything Team"
],
"organization": "FuzzAnything"
}
],
"cve": "CVE-2026-56210",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"discovery_date": "2026-06-19T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2490801"
}
],
"notes": [
{
"category": "description",
"text": "A heap-buffer-overflow read vulnerability was found in libaom, the reference AV1 codec implementation. A missing bounds check in the SVC (Scalable Video Coding) layer ID control function allows setting a spatial_layer_id exceeding the configured number of layers. This causes an out-of-bounds heap read of approximately 40,728 bytes when computing a layer context array index. An attacker who can influence SVC encoder parameters in a network-facing service could exploit this for information disclosure (heap content leak) or denial of service (segmentation fault from hitting unmapped memory).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "libaom: libaom: heap-buffer-overflow read via missing bounds check in ctrl_set_layer_id",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated as Important severity because the 40KB out-of-bounds heap read can disclose sensitive information from adjacent heap allocations (including pointers useful for ASLR bypass in chained attacks) and reliably causes denial of service by hitting unmapped pages. In Red Hat products, libaom ships bundled within Firefox and Thunderbird. The vulnerable code path requires the SVC encoder feature to be enabled and an attacker to set spatial_layer_id to a value exceeding the number of configured spatial layers. In Firefox\u0027s WebRTC implementation, SVC layer parameters are managed internally by the browser and not directly exposed to remote peers, which limits exploitability. RHEL-AI 3.4 (aom 3.12.0) and Hummingbird 1 (aom 3.13.3) ship standalone libaom packages within the affected version range. Services that expose SVC encoder layer configuration to untrusted input are affected.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:aom-main@aarch64",
"Red Hat Hardened Images:aom-main@src",
"Red Hat Hardened Images:aom-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-56210"
},
{
"category": "external",
"summary": "RHBZ#2490801",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2490801"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-56210",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-56210"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-56210",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56210"
},
{
"category": "external",
"summary": "https://aomedia.googlesource.com/aom/+/a93ba0ffaa",
"url": "https://aomedia.googlesource.com/aom/+/a93ba0ffaa"
},
{
"category": "external",
"summary": "https://issues.chromium.org/issues/503975732",
"url": "https://issues.chromium.org/issues/503975732"
}
],
"release_date": "2026-06-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-28T22:34:27+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:aom-main@aarch64",
"Red Hat Hardened Images:aom-main@src",
"Red Hat Hardened Images:aom-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30814"
},
{
"category": "workaround",
"details": "There is no complete mitigation for this vulnerability. The following measures can reduce risk:\n\n1. If using libaom as a standalone encoder library with SVC enabled, validate that spatial_layer_id does not exceed the number of configured spatial layers before calling aom_codec_control with AV1E_SET_SVC_LAYER_ID.\n2. Restrict access to encoding services to trusted clients only.\n3. For Firefox and Thunderbird, ensure browsers are updated to versions that include the patched libaom (v3.14.0 or later).\n4. Monitor encoding service processes for unexpected crashes (segfaults) that may indicate exploitation attempts.",
"product_ids": [
"Red Hat Hardened Images:aom-main@aarch64",
"Red Hat Hardened Images:aom-main@src",
"Red Hat Hardened Images:aom-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:aom-main@aarch64",
"Red Hat Hardened Images:aom-main@src",
"Red Hat Hardened Images:aom-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "libaom: libaom: heap-buffer-overflow read via missing bounds check in ctrl_set_layer_id"
},
{
"acknowledgments": [
{
"names": [
"The FuzzAnything Team"
],
"organization": "FuzzAnything"
}
],
"cve": "CVE-2026-56211",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2026-06-19T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2490802"
}
],
"notes": [
{
"category": "description",
"text": "A remote code execution vulnerability was found in libaom, the reference AV1 codec implementation. Insufficient bounds validation in the AV1 encoder\u0027s SVC (Scalable Video Coding) layer ID control allows an attacker to supply crafted video frame pixels that overlap with internal encoder layer context structures. In fork-based video processing services, an attacker can use this to hijack the cyclic refresh map pointer, brute-force the process base address via a crash oracle, and redirect control flow to achieve arbitrary command execution. Exploitation requires the target service to use libaom with SVC encoding enabled and accept attacker-supplied video frames.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "libaom: libaom: remote code execution via SVC layer context handling with attacker-controlled frames",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated as Critical severity because the researcher demonstrated successful remote code execution against a fork-based video processing service. The exploit chain leverages attacker-controlled pixel values to hijack internal encoder pointers, uses a crash oracle to brute-force ASLR, and ultimately achieves arbitrary command execution. However, the attack complexity is elevated: it requires a fork-based service architecture (for the crash oracle), multiple encoding attempts (for ASLR brute-force), and knowledge of the target binary layout. In Red Hat products, libaom ships bundled within Firefox and Thunderbird. Firefox does not use a fork-based architecture for WebRTC encoding, and SVC layer parameters are managed internally, making the demonstrated exploit chain not directly applicable to the browser context. RHEL-AI 3.4 (aom 3.12.0) and Hummingbird 1 (aom 3.13.3) ship standalone libaom packages within the affected version range. Fork-based transcoding or video conferencing services that use libaom with SVC encoding and accept attacker-supplied frames are at highest risk for this specific exploit chain.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:aom-main@aarch64",
"Red Hat Hardened Images:aom-main@src",
"Red Hat Hardened Images:aom-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-56211"
},
{
"category": "external",
"summary": "RHBZ#2490802",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2490802"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-56211",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-56211"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-56211",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56211"
},
{
"category": "external",
"summary": "https://aomedia.googlesource.com/aom/+/a93ba0ffaa",
"url": "https://aomedia.googlesource.com/aom/+/a93ba0ffaa"
},
{
"category": "external",
"summary": "https://issues.chromium.org/issues/503993985",
"url": "https://issues.chromium.org/issues/503993985"
}
],
"release_date": "2026-06-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-28T22:34:27+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:aom-main@aarch64",
"Red Hat Hardened Images:aom-main@src",
"Red Hat Hardened Images:aom-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30814"
},
{
"category": "workaround",
"details": "There is no complete mitigation for this vulnerability. The following measures can reduce risk:\n\n1. If using libaom as a standalone encoder in a fork-based service, validate all SVC layer parameters (spatial_layer_id, temporal_layer_id) against configured bounds before passing them to the encoder API.\n2. Avoid fork-based architectures for encoding services that accept untrusted input. Use thread-based or container-isolated workers instead, which prevent crash oracle attacks.\n3. Restrict access to encoding services to trusted clients only. Do not expose SVC encoder configuration or frame submission to untrusted network input.\n4. For Firefox and Thunderbird, ensure browsers are updated to versions that include the patched libaom (v3.14.0 or later).\n5. Enable all available exploit mitigations (ASLR, PIE, stack canaries, CFI) on encoding service binaries.",
"product_ids": [
"Red Hat Hardened Images:aom-main@aarch64",
"Red Hat Hardened Images:aom-main@src",
"Red Hat Hardened Images:aom-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:aom-main@aarch64",
"Red Hat Hardened Images:aom-main@src",
"Red Hat Hardened Images:aom-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "libaom: libaom: remote code execution via SVC layer context handling with attacker-controlled frames"
}
]
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.