Bug 2490801 (CVE-2026-56210)
| Summary: | CVE-2026-56210 libaom: libaom: heap-buffer-overflow read via missing bounds check in ctrl_set_layer_id | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | bbrownin, gotiwari, jhorak, mvyas, rhel-process-autobot, watson-tool-maintainers |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A heap-buffer-overflow read vulnerability was found in libaom, the reference AV1 codec implementation. A missing bounds check in the SVC (Scalable Video Coding) layer ID control function allows setting a spatial_layer_id exceeding the configured number of layers. This causes an out-of-bounds heap read of approximately 40,728 bytes when computing a layer context array index. An attacker who can influence SVC encoder parameters in a network-facing service could exploit this for information disclosure (heap content leak) or denial of service (segmentation fault from hitting unmapped memory).
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
A heap-buffer-overflow read vulnerability was found in libaom, the reference AV1 codec implementation by the Alliance for Open Media. A missing bounds check in ctrl_set_layer_id() (av1/av1_cx_iface.c) allows a caller to set spatial_layer_id to a value exceeding the number of configured spatial layers. This causes an out-of-bounds heap read of approximately 40,728 bytes when the encoder computes a layer_context[] array index during av1_one_pass_cbr_svc_start_layer() (av1/encoder/svc_layercontext.c). The overread can leak adjacent heap contents or hit an unmapped page causing a segmentation fault. Impact: Out-of-bounds heap read of ~40,728 bytes, potentially leaking adjacent heap contents (information disclosure). In non-ASAN builds, the read may hit an unmapped page, causing a segmentation fault (Denial of Service). Reachable from any application using the SVC encoder with untrusted layer_id input. Affected: libaom since 2018-01-24, commit f85898632d (pre-v1.0.0); tested on v3.13.3-389-gdc2644ef7e Fixed in: 2026-04-19, commit a93ba0ffaa ("svc: Check for invalid params for svc layer id setting", Bug: 503975732, 503993984, 503993985), released in v3.14.0. The fix adds bounds validation to ctrl_set_layer_id() and ctrl_set_spatial_layer_id(), returning AOM_CODEC_INVALID_PARAM when spatial_layer_id or temporal_layer_id is outside the range [0, configured_layers). Upstream report: https://issues.chromium.org/issues/503975732 (restricted) Reporter: The FuzzAnything Team PSIRT Ticket: PSIRTSUPT-17178