An arbitrary address write vulnerability was found in libaom, the reference AV1 codec implementation by the Alliance for Open Media. A missing bounds check in ctrl_set_layer_id() (av1/av1_cx_iface.c) allows an attacker to inject an arbitrary pointer into the cyclic refresh cr->map field via image pixel values (self-bootstrapping), which the encoder then writes to during av1_cyclic_refresh_update_segment() (av1/encoder/aq_cyclicrefresh.c).

The attack is fully deterministic and does not require any separate information leak. The attacker crafts specific Y-plane pixel values that, when the OOB layer_context[] read overlaps them, become the cr->map pointer. The encoder then writes 1,200 bytes at this attacker-controlled address with byte values 0x00 or 0x01. The write is silent in non-sanitizer builds (ASAN aborts on the prerequisite OOB read before reaching the write path).

Impact: Arbitrary heap/memory write of ~1,200 bytes with attacker-controlled base address and byte value 0x00 or 0x01. Reachable from any application that exposes SVC encoder configuration to untrusted input (e.g. real-time video conferencing, transcoding services). Leads to DoS and control flow hijacks. Could cause remote code execution when combined with other primitives.

Affected: libaom since 2018-01-24, commit f85898632d (pre-v1.0.0); tested on v3.13.3-389-gdc2644ef7e
Fixed in: 2026-04-19, commit a93ba0ffaa ("Add bounds check for SVC layer context array", BUG=aomedia:503993985), released in v3.14.0
Upstream report: https://issues.chromium.org/issues/503993984 (restricted)

Reporter: The FuzzAnything Team
PSIRT Ticket: PSIRTSUPT-17177