Libaom: libaom: heap buffer overflow in av1 encoder first-pass stats buffer via lap mode
Summary
| CVE | CVE-2026-56208 |
|---|---|
| State | PUBLISHED |
| Assigner | redhat |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-19 17:16:30 UTC |
| Updated | 2026-06-22 14:17:44 UTC |
| Description | A heap buffer overflow vulnerability was found in libaom, the reference AV1 codec implementation. A flaw in the AV1 encoder's Look-Ahead Processing (LAP) mode causes the first-pass stats ring buffer wrap-around guard to be bypassed when g_lag_in_frames is set to 1 or higher. This results in a 232-byte out-of-bounds write on every encoded frame after the second, corrupting adjacent heap objects. An attacker who can influence encoder configuration in a transcoding service or WebRTC session could exploit this to cause a denial of service (process crash) or potentially achieve code execution. |
Risk And Classification
Primary CVSS: v3.1 7.6 HIGH from [email protected]
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H
Problem Types: CWE-122 | CWE-122 Heap-based Buffer Overflow
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Secondary | 7.6 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H |
| 3.1 | CNA | CVSS | 7.6 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H |
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Red Hat | Red Hat Enterprise Linux 10 | Not specified | Not specified |
| CNA | Red Hat | Red Hat Enterprise Linux 10 | Not specified | Not specified |
| CNA | Red Hat | Red Hat Enterprise Linux 9 | Not specified | Not specified |
| CNA | Red Hat | Red Hat Enterprise Linux 9 | Not specified | Not specified |
| CNA | Red Hat | Red Hat Enterprise Linux AI RHEL AI 3 | Not specified | Not specified |
| CNA | Red Hat | Red Hat Hardened Images | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| aomedia.googlesource.com/aom/+/243f8ae84b | [email protected] | aomedia.googlesource.com | |
| access.redhat.com/security/cve/CVE-2026-56208 | [email protected] | access.redhat.com | |
| bugzilla.redhat.com/show_bug.cgi | [email protected] | bugzilla.redhat.com | |
| issues.chromium.org/issues/504317456 | [email protected] | issues.chromium.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Red Hat would like to thank The FuzzAnything Team (FuzzAnything) for reporting this issue. (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| CNA | 2026-06-19T00:00:00.000Z | Reported to Red Hat. |
| CNA | 2026-06-19T00:00:00.000Z | Made public. |
Workarounds
CNA: There is no complete mitigation for this vulnerability. The following measures can reduce risk: 1. If using libaom as a standalone encoder library, avoid setting g_lag_in_frames to values >= 1 when processing untrusted input, or validate all encoder configuration parameters before passing them to the libaom API. 2. For Firefox and Thunderbird, ensure browsers are updated to versions that include the patched libaom (v3.14.0 or later). 3. For standalone libaom deployments (RHEL-AI, Hummingbird), restrict access to the encoding service to trusted clients only. 4. Apply network-level access controls to limit who can submit video for encoding.