Source: aom Version: 3.13.1-2 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for aom. CVE-2026-56208[0]: | A heap buffer overflow vulnerability was found in libaom, the | reference AV1 codec implementation. A flaw in the AV1 encoder's | Look-Ahead Processing (LAP) mode causes the first-pass stats ring | buffer wrap-around guard to be bypassed when g_lag_in_frames is set | to 1 or higher. This results in a 232-byte out-of-bounds write on | every encoded frame after the second, corrupting adjacent heap | objects. An attacker who can influence encoder configuration in a | transcoding service or WebRTC session could exploit this to cause a | denial of service (process crash) or potentially achieve code | execution. CVE-2026-56209[1]: | An arbitrary address write vulnerability was found in libaom, the | reference AV1 codec implementation. A missing bounds check in the | SVC (Scalable Video Coding) layer ID control function allows an | attacker to inject an arbitrary pointer into the cyclic refresh map | field via crafted image pixel values. The encoder then writes | approximately 1,200 bytes at the attacker-controlled address. This | is fully deterministic and does not require a separate information | leak. An attacker who can supply frames to a network-facing libaom | encoder with SVC enabled could exploit this for denial of service or | potential code execution. CVE-2026-56210[2]: | A heap-buffer-overflow read vulnerability was found in libaom, the | reference AV1 codec implementation. A missing bounds check in the | SVC (Scalable Video Coding) layer ID control function allows setting | a spatial_layer_id exceeding the configured number of layers. This | causes an out-of-bounds heap read of approximately 40,728 bytes when | computing a layer context array index. An attacker who can influence | SVC encoder parameters in a network-facing service could exploit | this for information disclosure (heap content leak) or denial of | service (segmentation fault from hitting unmapped memory). CVE-2026-56211[3]: | A remote code execution vulnerability was found in libaom, the | reference AV1 codec implementation. Insufficient bounds validation | in the AV1 encoder's SVC (Scalable Video Coding) layer ID control | allows an attacker to supply crafted video frame pixels that overlap | with internal encoder layer context structures. In fork-based video | processing services, an attacker can use this to hijack the cyclic | refresh map pointer, brute-force the process base address via a | crash oracle, and redirect control flow to achieve arbitrary command | execution. Exploitation requires the target service to use libaom | with SVC encoding enabled and accept attacker-supplied video frames. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-56208 https://www.cve.org/CVERecord?id=CVE-2026-56208 [1] https://security-tracker.debian.org/tracker/CVE-2026-56209 https://www.cve.org/CVERecord?id=CVE-2026-56209 [2] https://security-tracker.debian.org/tracker/CVE-2026-56210 https://www.cve.org/CVERecord?id=CVE-2026-56210 [3] https://security-tracker.debian.org/tracker/CVE-2026-56211 https://www.cve.org/CVERecord?id=CVE-2026-56211 Regards, Salvatore
