A heap buffer overflow (out-of-bounds write followed by out-of-bounds read) was found in libaom, the reference AV1 codec implementation by the Alliance for Open Media. The vulnerability exists in the AV1 encoder when an application sets g_lag_in_frames = 1.

The wrap-around guard for the first-pass stats ring buffer in update_firstpass_stats() (av1/encoder/firstpass.c) only fires when cpi->oxcf.pass == AOM_RC_FIRST_PASS, but Look-Ahead Processing (LAP) mode (enabled when g_lag_in_frames >= 1) runs as AOM_RC_ONE_PASS. As a result, the stats_in_end pointer is never wrapped and every frame after the second writes a 232-byte FIRSTPASS_STATS structure past the allocated 2-entry buffer, corrupting adjacent heap objects and their aom_memalign metadata.

Impact: Heap out-of-bounds write of 232-byte FIRSTPASS_STATS entries (29 fields of attacker-influenced floating-point/integer data) into the adjacent heap on every encoder frame after the 2nd, out-of-bounds read in find_next_scenecut(), and process crash via corrupted free() metadata in aom_codec_destroy(). Reachable from any application that exposes encoder configuration to untrusted input (e.g. transcoding services, browsers using libaom for WebRTC encode).

Affected: libaom v2.0.0 (first release shipping LAP support, commits 5517b28e1e and 4be6511843, Dec 2019) through v3.13.3
Fixed in: v3.14.0 by commit 243f8ae84b ("Handle buffer pointer in LAP mode to avoid overflow", BUG=aomedia:504317456, 2026-04-20)
Upstream report: https://issues.chromium.org/issues/504317456 (restricted)

Reporter: The FuzzAnything Team
PSIRT Ticket: PSIRTSUPT-17176