Bug 2490710 (CVE-2026-12706) - CVE-2026-12706 ffmpeg: ffmpeg: heap use-after-free read in RASC decoder decode_move()
Summary: CVE-2026-12706 ffmpeg: ffmpeg: heap use-after-free read in RASC decoder decod...
Keywords:
Status: NEW
Alias: CVE-2026-12706
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-19 10:27 UTC by OSIDB Bzimport
Modified: 2026-06-19 10:50 UTC (History)
5 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-19 10:27:27 UTC
A 16-byte heap use-after-free read was found in FFmpeg's RASC video decoder (libavcodec/rasc.c), in the decode_move() function.

When processing a MOVE chunk with zlib compression enabled (compression == 1), decode_zlib() decompresses data into the s->delta buffer and a GetByteContext (mc) is initialized pointing into it. During the move-processing loop, a type-0 move entry calls av_fast_padded_malloc(&s->delta, &s->delta_size, w*h*s->bpp), which frees and reallocates the buffer when the requested size (e.g. 1600 bytes for a 20x20 32bpp move) exceeds s->delta_size (134 bytes after the initial inflate). The mc pointer is left dangling, and the next loop iteration performs 7 bytestream2_get_le16(&mc) calls and one bytestream2_skip(&mc, 2), reading 16 bytes total from freed heap memory.

The RASC decoder is enabled by default (CONFIG_RASC_DECODER=yes) and is triggered automatically when demuxing AVI files with the RIFF FourCC ('R','A','S','C'). No special flags or codec selection is needed; user interaction is required to open or play the crafted file.

The proven impact is denial of service (deterministic crash on ASan/hardened-allocator builds). On standard glibc, behavior depends on heap reuse patterns.

Affected: FFmpeg (all versions containing the RASC decoder through current HEAD). The reporter verified on FFmpeg master (commit 78da965).

Fix: PR #22992 by Michael Niedermayer, applied to FFmpeg master. The fix introduces a dedicated scratch buffer (s->mv_scratch) for the type-0 pixel copy so s->delta and mc are not disturbed.
Patch: https://patchwork.ffmpeg.org/project/ffmpeg/patch/177766314111.63.10674887811034989327@29965ddac10e/
Mailing list: https://lists.ffmpeg.org/archives/list/ffmpeg-devel@ffmpeg.org/message/TTRIJZA7UL6KJTEDMMBGZPLLJERJ3EFX/

Reporter: Seung Min Shin (credited as Found-by in the upstream patch)
PSIRT Ticket: PSIRTSUPT-11278


Note You need to log in before you can comment on or make changes to this bug.