Bug 2490800 (CVE-2026-56209)
| Summary: | CVE-2026-56209 libaom: libaom: arbitrary address write via SVC layer context OOB and cyclic refresh map pointer hijack | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | bbrownin, gotiwari, jhorak, mvyas, rhel-process-autobot, watson-tool-maintainers |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
An arbitrary address write vulnerability was found in libaom, the reference AV1 codec implementation. A missing bounds check in the SVC (Scalable Video Coding) layer ID control function allows an attacker to inject an arbitrary pointer into the cyclic refresh map field via crafted image pixel values. The encoder then writes approximately 1,200 bytes at the attacker-controlled address. This is fully deterministic and does not require a separate information leak. An attacker who can supply frames to a network-facing libaom encoder with SVC enabled could exploit this for denial of service or potential code execution.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
An arbitrary address write vulnerability was found in libaom, the reference AV1 codec implementation by the Alliance for Open Media. A missing bounds check in ctrl_set_layer_id() (av1/av1_cx_iface.c) allows an attacker to inject an arbitrary pointer into the cyclic refresh cr->map field via image pixel values (self-bootstrapping), which the encoder then writes to during av1_cyclic_refresh_update_segment() (av1/encoder/aq_cyclicrefresh.c). The attack is fully deterministic and does not require any separate information leak. The attacker crafts specific Y-plane pixel values that, when the OOB layer_context[] read overlaps them, become the cr->map pointer. The encoder then writes 1,200 bytes at this attacker-controlled address with byte values 0x00 or 0x01. The write is silent in non-sanitizer builds (ASAN aborts on the prerequisite OOB read before reaching the write path). Impact: Arbitrary heap/memory write of ~1,200 bytes with attacker-controlled base address and byte value 0x00 or 0x01. Reachable from any application that exposes SVC encoder configuration to untrusted input (e.g. real-time video conferencing, transcoding services). Leads to DoS and control flow hijacks. Could cause remote code execution when combined with other primitives. Affected: libaom since 2018-01-24, commit f85898632d (pre-v1.0.0); tested on v3.13.3-389-gdc2644ef7e Fixed in: 2026-04-19, commit a93ba0ffaa ("Add bounds check for SVC layer context array", BUG=aomedia:503993985), released in v3.14.0 Upstream report: https://issues.chromium.org/issues/503993984 (restricted) Reporter: The FuzzAnything Team PSIRT Ticket: PSIRTSUPT-17177