Bug 2490802 (CVE-2026-56211)
| Summary: | CVE-2026-56211 libaom: libaom: remote code execution via SVC layer context handling with attacker-controlled frames | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | alinfoot, bbrownin, dtrifiro, gotiwari, jhorak, jkoehler, lphiri, mvyas, rbryant, rhel-process-autobot, watson-tool-maintainers, weaton |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A remote code execution vulnerability was found in libaom, the reference AV1 codec implementation. Insufficient bounds validation in the AV1 encoder's SVC (Scalable Video Coding) layer ID control allows an attacker to supply crafted video frame pixels that overlap with internal encoder layer context structures. In fork-based video processing services, an attacker can use this to hijack the cyclic refresh map pointer, brute-force the process base address via a crash oracle, and redirect control flow to achieve arbitrary command execution. Exploitation requires the target service to use libaom with SVC encoding enabled and accept attacker-supplied video frames.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
A remote code execution vulnerability was found in libaom, the reference AV1 codec implementation by the Alliance for Open Media. A heap buffer overflow exists in the AV1 encoder SVC layer context handling. The encoder control path for setting the active SVC layer ID lacks sufficient bounds validation, allowing an out-of-range spatial/temporal layer selection to make ctrl_set_layer_id() operate on a non-existent LAYER_CONTEXT entry. In a 320x240 encoder configuration using 2 spatial layers, 3 temporal layers, and cyclic refresh (aq_mode=3), the out-of-bounds "ghost" layer_context[9] overlaps attacker-controlled image Y-plane data. This lets an attacker supply video frame pixels that become security-sensitive layer-context fields, including the cr->map pointer used by cyclic refresh. The demonstrated exploit chain uses the attacker-controlled cr->map pointer as a crash oracle to recover the PIE base in fork-based services, then redirects cyclic-refresh writes into writable GOT.PLT entries and pivots control flow toward command execution. The PoC demonstrated successful code execution in a remote setting with partial local assistance. Components: av1/av1_cx_iface.c (ctrl_set_layer_id()), av1/encoder/svc_layercontext.c (av1_restore_layer_context()), av1/encoder/aq_cyclicrefresh.c (av1_cyclic_refresh_update_segment()) Impact: Remote code execution in fork-based video processing services that expose libaom AV1 encoder configuration and accept attacker-supplied frames. Full CIA compromise demonstrated. Affected: libaom since 2018-01-24, commit f85898632d (pre-v1.0.0); tested on v3.13.3-389-gdc2644ef7e Fixed in: 2026-04-19, commit a93ba0ffaa ("Add bounds check for SVC layer context array", BUG=aomedia:503993985), released in v3.14.0 Upstream report: https://issues.chromium.org/issues/503993985 (restricted) Reporter: The FuzzAnything Team PSIRT Ticket: PSIRTSUPT-17179