Arbitrary Address Write Vulnerability in libaom AV1 Codec Implementation
CVE-2026-56209

7.1HIGH

Key Information:

Vendor

Red Hat
Status
Red Hat Enterprise Linux 10
Red Hat Enterprise Linux 9
Red Hat Enterprise Linux Ai (rhel Ai) 3
Red Hat Hardened Images
Vendor
CVE Published:
19 June 2026

What is CVE-2026-56209?

A vulnerability in the libaom AV1 codec implementation allows for arbitrary address writes due to a missing bounds check in the SVC (Scalable Video Coding) layer ID control function. Attackers can exploit this flaw by supplying specially crafted image pixel values to the encoder, leading to the injection of an arbitrary pointer. This enables the encoder to write approximately 1,200 bytes to an address controlled by the attacker. Successful exploitation can result in denial of service or the potential for arbitrary code execution, particularly if the libaom encoder is exposed to network requests.

References

https://access.redhat.com/security/cve/CVE-2026-56209
vdb-entryx_refsource_REDHAT
https://aomedia.googlesource.com/aom/+/a93ba0ffaa
https://bugzilla.redhat.com/show_bug.cgi?id=2490800
issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Red Hat would like to thank The FuzzAnything Team (FuzzAnything) for reporting this issue.
.