Remote Code Execution Vulnerability in libaom AV1 Codec by AOMedia
CVE-2026-56211

7.1HIGH

Key Information:

Vendor

Red Hat
Status
Red Hat Enterprise Linux 10
Red Hat Enterprise Linux 9
Red Hat Enterprise Linux Ai (rhel Ai) 3
Red Hat Hardened Images
Vendor
CVE Published:
19 June 2026

What is CVE-2026-56211?

A vulnerability in the libaom AV1 codec, specifically related to insufficient bounds validation within the SVC layer ID control, can be exploited for remote code execution. Attackers may provide specially crafted video frame pixels, leading to memory overlaps with internal structures of the encoder. This flaw enables adversaries to hijack the cyclic refresh map pointer and manipulate the process during video encoding, potentially allowing arbitrary command execution through targeted attacks on services utilizing libaom with SVC encoding enabled.

References

https://access.redhat.com/security/cve/CVE-2026-56211
vdb-entryx_refsource_REDHAT
https://aomedia.googlesource.com/aom/+/a93ba0ffaa
https://bugzilla.redhat.com/show_bug.cgi?id=2490802
issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Red Hat would like to thank The FuzzAnything Team (FuzzAnything) for reporting this issue.
.