A heap-buffer-overflow read vulnerability was found in libaom, the reference AV1 codec implementation by the Alliance for Open Media. A missing bounds check in ctrl_set_layer_id() (av1/av1_cx_iface.c) allows a caller to set spatial_layer_id to a value exceeding the number of configured spatial layers.

This causes an out-of-bounds heap read of approximately 40,728 bytes when the encoder computes a layer_context[] array index during av1_one_pass_cbr_svc_start_layer() (av1/encoder/svc_layercontext.c). The overread can leak adjacent heap contents or hit an unmapped page causing a segmentation fault.

Impact: Out-of-bounds heap read of ~40,728 bytes, potentially leaking adjacent heap contents (information disclosure). In non-ASAN builds, the read may hit an unmapped page, causing a segmentation fault (Denial of Service). Reachable from any application using the SVC encoder with untrusted layer_id input.

Affected: libaom since 2018-01-24, commit f85898632d (pre-v1.0.0); tested on v3.13.3-389-gdc2644ef7e
Fixed in: 2026-04-19, commit a93ba0ffaa ("svc: Check for invalid params for svc layer id setting", Bug: 503975732, 503993984, 503993985), released in v3.14.0. The fix adds bounds validation to ctrl_set_layer_id() and ctrl_set_spatial_layer_id(), returning AOM_CODEC_INVALID_PARAM when spatial_layer_id or temporal_layer_id is outside the range [0, configured_layers).
Upstream report: https://issues.chromium.org/issues/503975732 (restricted)

Reporter: The FuzzAnything Team
PSIRT Ticket: PSIRTSUPT-17178