{"api_version":"1","generated_at":"2026-07-02T09:57:59+00:00","cve":"CVE-2026-58049","urls":{"html":"https://cve.report/CVE-2026-58049","api":"https://cve.report/api/cve/CVE-2026-58049.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-58049","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-58049"},"summary":{"title":"FFmpeg - Out-of-Bounds Write in RASC Decoder decode_dlta()","description":"FFmpeg's RASC video decoder (decode_dlta in libavcodec/rasc.c) performs 32-bit reads and writes at the row cursor before the NEXT_LINE row-boundary check and validates the DLTA region in pixel rather than byte units, so a DLTA run on a PAL8 frame can access several bytes past the row allocation. A crafted media stream using the RASC FourCC, decoded by libavcodec, triggers a bitstream-controlled out-of-bounds heap write and adjacent out-of-bounds read, leading to memory corruption.","state":"PUBLISHED","assigner":"VulnCheck","published_at":"2026-06-28 02:16:30","updated_at":"2026-06-30 03:21:05"},"problem_types":["CWE-787","CWE-787 Out-of-bounds Write"],"metrics":[{"version":"4.0","source":"disclosure@vulncheck.com","type":"Secondary","score":"8.8","severity":"HIGH","vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","data":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}},{"version":"4.0","source":"CNA","type":"CVSS","score":"8.8","severity":"HIGH","vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N","data":{"attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":8.8,"baseSeverity":"HIGH","privilegesRequired":"NONE","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"HIGH","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"LOW"}},{"version":"3.1","source":"ADP","type":"CVSS","score":"7.6","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.6,"baseSeverity":"HIGH","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H","version":"3.1"}},{"version":"3.1","source":"disclosure@vulncheck.com","type":"Primary","score":"8.6","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H","baseScore":8.6,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"HIGH"}},{"version":"3.1","source":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","type":"Secondary","score":"7.6","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H","baseScore":7.6,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"8.6","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.6,"baseSeverity":"HIGH","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H","version":"3.1"}}],"references":[{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2493952","name":"https://bugzilla.redhat.com/show_bug.cgi?id=2493952","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/bikini/exploitarium/tree/main/ffmpeg-rasc-dlta-calc-poc","name":"https://github.com/bikini/exploitarium/tree/main/ffmpeg-rasc-dlta-calc-poc","refsource":"disclosure@vulncheck.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.vulncheck.com/advisories/ffmpeg-out-of-bounds-write-in-rasc-decoder-decode-dlta","name":"https://www.vulncheck.com/advisories/ffmpeg-out-of-bounds-write-in-rasc-decoder-decode-dlta","refsource":"disclosure@vulncheck.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/security/cve/CVE-2026-58049","name":"https://access.redhat.com/security/cve/CVE-2026-58049","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-58049.json","name":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-58049.json","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/FFmpeg/FFmpeg/blob/master/libavcodec/rasc.c","name":"https://github.com/FFmpeg/FFmpeg/blob/master/libavcodec/rasc.c","refsource":"disclosure@vulncheck.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-58049","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-58049","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"FFmpeg","product":"FFmpeg","version":"affected bcd2c69e087a09b07cf45c6bd2428ee1ccb2925c git","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Enterprise Linux AI (RHEL AI) 3","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat OpenShift AI (RHOAI)","version":"","platforms":[]}],"timeline":[{"source":"ADP","time":"2026-06-28T03:01:15.644Z","lang":"en","value":"Reported to Red Hat."},{"source":"ADP","time":"2026-06-28T01:32:52.900Z","lang":"en","value":"Made public."}],"solutions":[],"workarounds":[{"source":"ADP","title":"","value":"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.","time":"","lang":"en"}],"exploits":[],"credits":[{"source":"CNA","value":"ashdfrkl","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"58049","cve":"CVE-2026-58049","epss":"0.002170000","percentile":"0.121720000","score_date":"2026-07-01","updated_at":"2026-07-02 00:05:25"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-58049","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-06-29T13:52:19.360635Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-06-29T13:52:27.762Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"},{"affected":[{"cpes":["cpe:/a:redhat:enterprise_linux_ai:3"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AI (RHEL AI) 3","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift_ai"],"defaultStatus":"affected","product":"Red Hat OpenShift AI (RHOAI)","vendor":"Red Hat"}],"datePublic":"2026-06-28T01:32:52.900Z","descriptions":[{"lang":"en","value":"A flaw was found in FFmpeg's RASC video decoder. A remote attacker could exploit this by providing a crafted media stream using the RASC FourCC (Four Character Code), which is then decoded by libavcodec. This vulnerability triggers a bitstream-controlled out-of-bounds heap write and an adjacent out-of-bounds read, leading to memory corruption. This can result in a denial of service or potentially arbitrary code execution."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.6,"baseSeverity":"HIGH","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-787","description":"Out-of-bounds Write","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-30T02:41:50.421Z","orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP"},"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-58049"},{"name":"RHBZ#2493952","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2493952"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-58049.json"}],"timeline":[{"lang":"en","time":"2026-06-28T03:01:15.644Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-06-28T01:32:52.900Z","value":"Made public."}],"title":"FFmpeg: FFmpeg: Memory corruption via crafted RASC video stream","workarounds":[{"lang":"en","value":"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}],"x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"}}],"cna":{"affected":[{"defaultStatus":"affected","product":"FFmpeg","vendor":"FFmpeg","versions":[{"lessThanOrEqual":"bcd2c69e087a09b07cf45c6bd2428ee1ccb2925c","status":"affected","version":"0","versionType":"git"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:a:ffmpeg:ffmpeg:*:*:*:*:*:*:*:*","vulnerable":true}],"negate":false,"operator":"OR"}]}],"credits":[{"lang":"en","type":"finder","value":"ashdfrkl"}],"datePublic":"2026-06-26T00:00:00.000Z","descriptions":[{"lang":"en","value":"FFmpeg's RASC video decoder (decode_dlta in libavcodec/rasc.c) performs 32-bit reads and writes at the row cursor before the NEXT_LINE row-boundary check and validates the DLTA region in pixel rather than byte units, so a DLTA run on a PAL8 frame can access several bytes past the row allocation. A crafted media stream using the RASC FourCC, decoded by libavcodec, triggers a bitstream-controlled out-of-bounds heap write and adjacent out-of-bounds read, leading to memory corruption."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.6,"baseSeverity":"HIGH","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H","version":"3.1"},"format":"CVSS"},{"cvssV4_0":{"attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":8.8,"baseSeverity":"HIGH","privilegesRequired":"NONE","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"HIGH","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"LOW"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-787","description":"Out-of-bounds Write","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-28T01:32:52.900Z","orgId":"83251b91-4cc7-4094-a5c7-464a1b83ea10","shortName":"VulnCheck"},"references":[{"name":"Proof of Concept","tags":["exploit","third-party-advisory"],"url":"https://github.com/bikini/exploitarium/tree/main/ffmpeg-rasc-dlta-calc-poc"},{"name":"libavcodec/rasc.c","tags":["product"],"url":"https://github.com/FFmpeg/FFmpeg/blob/master/libavcodec/rasc.c"},{"name":"VulnCheck Advisory: FFmpeg - Out-of-Bounds Write in RASC Decoder decode_dlta()","tags":["third-party-advisory"],"url":"https://www.vulncheck.com/advisories/ffmpeg-out-of-bounds-write-in-rasc-decoder-decode-dlta"}],"title":"FFmpeg - Out-of-Bounds Write in RASC Decoder decode_dlta()","x_generator":{"engine":"vulncheck-endgame"}}},"cveMetadata":{"assignerOrgId":"83251b91-4cc7-4094-a5c7-464a1b83ea10","assignerShortName":"VulnCheck","cveId":"CVE-2026-58049","datePublished":"2026-06-28T01:32:52.900Z","dateReserved":"2026-06-28T00:55:25.425Z","dateUpdated":"2026-06-30T02:41:50.421Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-28 02:16:30","lastModifiedDate":"2026-06-30 03:21:05","problem_types":["CWE-787","CWE-787 Out-of-bounds Write"],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"disclosure@vulncheck.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H","baseScore":8.6,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":4.7},{"source":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H","baseScore":7.6,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":4.7}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-06-29T13:52:19.360635Z","id":"CVE-2026-58049","options":[{"exploitation":"none"},{"automatable":"yes"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"58049","Ordinal":"1","Title":"FFmpeg - Out-of-Bounds Write in RASC Decoder decode_dlta()","CVE":"CVE-2026-58049","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"58049","Ordinal":"1","NoteData":"FFmpeg's RASC video decoder (decode_dlta in libavcodec/rasc.c) performs 32-bit reads and writes at the row cursor before the NEXT_LINE row-boundary check and validates the DLTA region in pixel rather than byte units, so a DLTA run on a PAL8 frame can access several bytes past the row allocation. A crafted media stream using the RASC FourCC, decoded by libavcodec, triggers a bitstream-controlled out-of-bounds heap write and adjacent out-of-bounds read, leading to memory corruption.","Type":"Description","Title":"FFmpeg - Out-of-Bounds Write in RASC Decoder decode_dlta()"}]}}}