<?xml version="1.0" encoding="UTF-8"?>
<cvrfdoc xmlns="http://www.icasi.org/CVRF/schema/cvrf/1.1" xmlns:cvrf="http://www.icasi.org/CVRF/schema/cvrf/1.1">
	<DocumentTitle xml:lang="en">An update for aom is now available for openEuler-24.03-LTS-SP1</DocumentTitle>
	<DocumentType>Security Advisory</DocumentType>
	<DocumentPublisher Type="Vendor">
		<ContactDetails>openeuler-security@openeuler.org</ContactDetails>
		<IssuingAuthority>openEuler security committee</IssuingAuthority>
	</DocumentPublisher>
	<DocumentTracking>
		<Identification>
			<ID>openEuler-SA-2026-2866</ID>
		</Identification>
		<Status>Final</Status>
		<Version>1.0</Version>
		<RevisionHistory>
			<Revision>
				<Number>1.0</Number>
				<Date>2026-07-06</Date>
				<Description>Initial</Description>
			</Revision>
		</RevisionHistory>
		<InitialReleaseDate>2026-07-06</InitialReleaseDate>
		<CurrentReleaseDate>2026-07-06</CurrentReleaseDate>
		<Generator>
			<Engine>openEuler SA Tool V1.0</Engine>
			<Date>2026-07-06</Date>
		</Generator>
	</DocumentTracking>
	<DocumentNotes>
		<Note Title="Synopsis" Type="General" Ordinal="1" xml:lang="en">aom security update</Note>
		<Note Title="Summary" Type="General" Ordinal="2" xml:lang="en">An update for aom is now available for openEuler-24.03-LTS-SP1</Note>
		<Note Title="Description" Type="General" Ordinal="3" xml:lang="en">The Alliance for Open Media’s focus is to deliver a next-generation video format that is:

Security Fix(es):

An arbitrary address write vulnerability was found in libaom, the reference AV1 codec implementation. A missing bounds check in the SVC (Scalable Video Coding) layer ID control function allows an attacker to inject an arbitrary pointer into the cyclic refresh map field via crafted image pixel values. The encoder then writes approximately 1,200 bytes at the attacker-controlled address. This is fully deterministic and does not require a separate information leak. An attacker who can supply frames to a network-facing libaom encoder with SVC enabled could exploit this for denial of service or potential code execution.(CVE-2026-56209)

A heap-buffer-overflow read vulnerability was found in libaom, the reference AV1 codec implementation. A missing bounds check in the SVC (Scalable Video Coding) layer ID control function allows setting a spatial_layer_id exceeding the configured number of layers. This causes an out-of-bounds heap read of approximately 40,728 bytes when computing a layer context array index. An attacker who can influence SVC encoder parameters in a network-facing service could exploit this for information disclosure (heap content leak) or denial of service (segmentation fault from hitting unmapped memory).(CVE-2026-56210)

A remote code execution vulnerability was found in libaom, the reference AV1 codec implementation. Insufficient bounds validation in the AV1 encoder&apos;s SVC (Scalable Video Coding) layer ID control allows an attacker to supply crafted video frame pixels that overlap with internal encoder layer context structures. In fork-based video processing services, an attacker can use this to hijack the cyclic refresh map pointer, brute-force the process base address via a crash oracle, and redirect control flow to achieve arbitrary command execution. Exploitation requires the target service to use libaom with SVC encoding enabled and accept attacker-supplied video frames.(CVE-2026-56211)</Note>
		<Note Title="Topic" Type="General" Ordinal="4" xml:lang="en">An update for aom is now available for openEuler-24.03-LTS-SP1/openEuler-24.03-LTS-SP4.

openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.</Note>
		<Note Title="Severity" Type="General" Ordinal="5" xml:lang="en">High</Note>
		<Note Title="Affected Component" Type="General" Ordinal="6" xml:lang="en">aom</Note>
	</DocumentNotes>
	<DocumentReferences>
		<Reference Type="Self">
			<URL>https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2866</URL>
		</Reference>
		<Reference Type="openEuler CVE">
			<URL>https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-56209</URL>
			<URL>https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-56210</URL>
			<URL>https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-56211</URL>
		</Reference>
		<Reference Type="Other">
			<URL>https://nvd.nist.gov/vuln/detail/CVE-2026-56209</URL>
			<URL>https://nvd.nist.gov/vuln/detail/CVE-2026-56210</URL>
			<URL>https://nvd.nist.gov/vuln/detail/CVE-2026-56211</URL>
		</Reference>
	</DocumentReferences>
	<ProductTree xmlns="http://www.icasi.org/CVRF/schema/prod/1.1">
		<Branch Type="Product Name" Name="openEuler">
			<FullProductName ProductID="openEuler-24.03-LTS-SP1" CPE="cpe:/a:openEuler:openEuler:24.03-LTS-SP1">openEuler-24.03-LTS-SP1</FullProductName>
		</Branch>
		<Branch Type="Package Arch" Name="src">
			<FullProductName ProductID="aom-3.8.0-6" CPE="cpe:/a:openEuler:openEuler:24.03-LTS-SP1">aom-3.8.0-6.oe2403sp1.src.rpm</FullProductName>
		</Branch>
		<Branch Type="Package Arch" Name="x86_64">
			<FullProductName ProductID="aom-3.8.0-6" CPE="cpe:/a:openEuler:openEuler:24.03-LTS-SP1">aom-3.8.0-6.oe2403sp1.x86_64.rpm</FullProductName>
			<FullProductName ProductID="aom-debuginfo-3.8.0-6" CPE="cpe:/a:openEuler:openEuler:24.03-LTS-SP1">aom-debuginfo-3.8.0-6.oe2403sp1.x86_64.rpm</FullProductName>
			<FullProductName ProductID="aom-debugsource-3.8.0-6" CPE="cpe:/a:openEuler:openEuler:24.03-LTS-SP1">aom-debugsource-3.8.0-6.oe2403sp1.x86_64.rpm</FullProductName>
			<FullProductName ProductID="libaom-3.8.0-6" CPE="cpe:/a:openEuler:openEuler:24.03-LTS-SP1">libaom-3.8.0-6.oe2403sp1.x86_64.rpm</FullProductName>
			<FullProductName ProductID="libaom-devel-3.8.0-6" CPE="cpe:/a:openEuler:openEuler:24.03-LTS-SP1">libaom-devel-3.8.0-6.oe2403sp1.x86_64.rpm</FullProductName>
		</Branch>
		<Branch Type="Package Arch" Name="aarch64">
			<FullProductName ProductID="aom-3.8.0-6" CPE="cpe:/a:openEuler:openEuler:24.03-LTS-SP1">aom-3.8.0-6.oe2403sp1.aarch64.rpm</FullProductName>
			<FullProductName ProductID="aom-debuginfo-3.8.0-6" CPE="cpe:/a:openEuler:openEuler:24.03-LTS-SP1">aom-debuginfo-3.8.0-6.oe2403sp1.aarch64.rpm</FullProductName>
			<FullProductName ProductID="aom-debugsource-3.8.0-6" CPE="cpe:/a:openEuler:openEuler:24.03-LTS-SP1">aom-debugsource-3.8.0-6.oe2403sp1.aarch64.rpm</FullProductName>
			<FullProductName ProductID="libaom-3.8.0-6" CPE="cpe:/a:openEuler:openEuler:24.03-LTS-SP1">libaom-3.8.0-6.oe2403sp1.aarch64.rpm</FullProductName>
			<FullProductName ProductID="libaom-devel-3.8.0-6" CPE="cpe:/a:openEuler:openEuler:24.03-LTS-SP1">libaom-devel-3.8.0-6.oe2403sp1.aarch64.rpm</FullProductName>
		</Branch>
	</ProductTree>
	<Vulnerability Ordinal="1" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
		<Notes>
			<Note Title="Vulnerability Description" Type="General" Ordinal="1" xml:lang="en">An arbitrary address write vulnerability was found in libaom, the reference AV1 codec implementation. A missing bounds check in the SVC (Scalable Video Coding) layer ID control function allows an attacker to inject an arbitrary pointer into the cyclic refresh map field via crafted image pixel values. The encoder then writes approximately 1,200 bytes at the attacker-controlled address. This is fully deterministic and does not require a separate information leak. An attacker who can supply frames to a network-facing libaom encoder with SVC enabled could exploit this for denial of service or potential code execution.</Note>
		</Notes>
		<ReleaseDate>2026-07-06</ReleaseDate>
		<CVE>CVE-2026-56209</CVE>
		<ProductStatuses>
			<Status Type="Fixed">
				<ProductID>openEuler-24.03-LTS-SP1</ProductID>
			</Status>
		</ProductStatuses>
		<Threats>
			<Threat Type="Impact">
				<Description>High</Description>
			</Threat>
		</Threats>
		<CVSSScoreSets>
			<ScoreSet>
				<BaseScore>7.1</BaseScore>
				<Vector>AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H</Vector>
			</ScoreSet>
		</CVSSScoreSets>
		<Remediations>
			<Remediation Type="Vendor Fix">
				<Description>aom security update</Description>
				<DATE>2026-07-06</DATE>
				<URL>https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2866</URL>
			</Remediation>
		</Remediations>
	</Vulnerability>
	<Vulnerability Ordinal="2" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
		<Notes>
			<Note Title="Vulnerability Description" Type="General" Ordinal="1" xml:lang="en">A heap-buffer-overflow read vulnerability was found in libaom, the reference AV1 codec implementation. A missing bounds check in the SVC (Scalable Video Coding) layer ID control function allows setting a spatial_layer_id exceeding the configured number of layers. This causes an out-of-bounds heap read of approximately 40,728 bytes when computing a layer context array index. An attacker who can influence SVC encoder parameters in a network-facing service could exploit this for information disclosure (heap content leak) or denial of service (segmentation fault from hitting unmapped memory).</Note>
		</Notes>
		<ReleaseDate>2026-07-06</ReleaseDate>
		<CVE>CVE-2026-56210</CVE>
		<ProductStatuses>
			<Status Type="Fixed">
				<ProductID>openEuler-24.03-LTS-SP1</ProductID>
			</Status>
		</ProductStatuses>
		<Threats>
			<Threat Type="Impact">
				<Description>High</Description>
			</Threat>
		</Threats>
		<CVSSScoreSets>
			<ScoreSet>
				<BaseScore>7.1</BaseScore>
				<Vector>AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H</Vector>
			</ScoreSet>
		</CVSSScoreSets>
		<Remediations>
			<Remediation Type="Vendor Fix">
				<Description>aom security update</Description>
				<DATE>2026-07-06</DATE>
				<URL>https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2866</URL>
			</Remediation>
		</Remediations>
	</Vulnerability>
	<Vulnerability Ordinal="3" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
		<Notes>
			<Note Title="Vulnerability Description" Type="General" Ordinal="1" xml:lang="en">A remote code execution vulnerability was found in libaom, the reference AV1 codec implementation. Insufficient bounds validation in the AV1 encoder&apos;s SVC (Scalable Video Coding) layer ID control allows an attacker to supply crafted video frame pixels that overlap with internal encoder layer context structures. In fork-based video processing services, an attacker can use this to hijack the cyclic refresh map pointer, brute-force the process base address via a crash oracle, and redirect control flow to achieve arbitrary command execution. Exploitation requires the target service to use libaom with SVC encoding enabled and accept attacker-supplied video frames.</Note>
		</Notes>
		<ReleaseDate>2026-07-06</ReleaseDate>
		<CVE>CVE-2026-56211</CVE>
		<ProductStatuses>
			<Status Type="Fixed">
				<ProductID>openEuler-24.03-LTS-SP1</ProductID>
			</Status>
		</ProductStatuses>
		<Threats>
			<Threat Type="Impact">
				<Description>High</Description>
			</Threat>
		</Threats>
		<CVSSScoreSets>
			<ScoreSet>
				<BaseScore>7.1</BaseScore>
				<Vector>AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H</Vector>
			</ScoreSet>
		</CVSSScoreSets>
		<Remediations>
			<Remediation Type="Vendor Fix">
				<Description>aom security update</Description>
				<DATE>2026-07-06</DATE>
				<URL>https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2866</URL>
			</Remediation>
		</Remediations>
	</Vulnerability>
</cvrfdoc>