Heap Buffer Overflow in libaom AV1 Codec Implementation
CVE-2026-56210

7.1HIGH

Key Information:

Vendor

Red Hat
Status
Red Hat Enterprise Linux 10
Red Hat Enterprise Linux 9
Red Hat Enterprise Linux Ai (rhel Ai) 3
Red Hat Hardened Images
Vendor
CVE Published:
19 June 2026

What is CVE-2026-56210?

A heap-buffer-overflow read vulnerability exists in libaom, the AV1 codec. The flaw arises due to a missed bounds check in the SVC layer ID control function, permitting an attacker to manipulate the spatial_layer_id and exceed the set layer count. This results in a read of sensitive heap memory, potentially disclosing information or causing service disruption through segmentation faults when accessing unmapped memory regions.

References

https://access.redhat.com/security/cve/CVE-2026-56210
vdb-entryx_refsource_REDHAT
https://aomedia.googlesource.com/aom/+/a93ba0ffaa
https://bugzilla.redhat.com/show_bug.cgi?id=2490801
issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Red Hat would like to thank The FuzzAnything Team (FuzzAnything) for reporting this issue.
.