{"schema_version":"1.7.2","id":"OESA-2026-2867","modified":"2026-07-06T06:29:37Z","published":"2026-07-06T06:29:37Z","upstream":["CVE-2026-56209","CVE-2026-56210","CVE-2026-56211"],"summary":"aom security update","details":"The Alliance for Open Media’s focus is to deliver a next-generation video format that is:\r\n\r\nSecurity Fix(es):\n\nAn arbitrary address write vulnerability was found in libaom, the reference AV1 codec implementation. A missing bounds check in the SVC (Scalable Video Coding) layer ID control function allows an attacker to inject an arbitrary pointer into the cyclic refresh map field via crafted image pixel values. The encoder then writes approximately 1,200 bytes at the attacker-controlled address. This is fully deterministic and does not require a separate information leak. An attacker who can supply frames to a network-facing libaom encoder with SVC enabled could exploit this for denial of service or potential code execution.(CVE-2026-56209)\n\nA heap-buffer-overflow read vulnerability was found in libaom, the reference AV1 codec implementation. A missing bounds check in the SVC (Scalable Video Coding) layer ID control function allows setting a spatial_layer_id exceeding the configured number of layers. This causes an out-of-bounds heap read of approximately 40,728 bytes when computing a layer context array index. An attacker who can influence SVC encoder parameters in a network-facing service could exploit this for information disclosure (heap content leak) or denial of service (segmentation fault from hitting unmapped memory).(CVE-2026-56210)\n\nA remote code execution vulnerability was found in libaom, the reference AV1 codec implementation. Insufficient bounds validation in the AV1 encoder&apos;s SVC (Scalable Video Coding) layer ID control allows an attacker to supply crafted video frame pixels that overlap with internal encoder layer context structures. In fork-based video processing services, an attacker can use this to hijack the cyclic refresh map pointer, brute-force the process base address via a crash oracle, and redirect control flow to achieve arbitrary command execution. Exploitation requires the target service to use libaom with SVC encoding enabled and accept attacker-supplied video frames.(CVE-2026-56211)","affected":[{"package":{"ecosystem":"openEuler:24.03-LTS-SP3","name":"aom","purl":"pkg:rpm/openEuler/aom&distro=openEuler-24.03-LTS-SP3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.8.0-6.oe2403sp3"}]}],"ecosystem_specific":{"aarch64":["aom-3.8.0-6.oe2403sp3.aarch64.rpm","aom-debuginfo-3.8.0-6.oe2403sp3.aarch64.rpm","aom-debugsource-3.8.0-6.oe2403sp3.aarch64.rpm","libaom-3.8.0-6.oe2403sp3.aarch64.rpm","libaom-devel-3.8.0-6.oe2403sp3.aarch64.rpm"],"src":["aom-3.8.0-6.oe2403sp3.src.rpm"],"x86_64":["aom-3.8.0-6.oe2403sp3.x86_64.rpm","aom-debuginfo-3.8.0-6.oe2403sp3.x86_64.rpm","aom-debugsource-3.8.0-6.oe2403sp3.x86_64.rpm","libaom-3.8.0-6.oe2403sp3.x86_64.rpm","libaom-devel-3.8.0-6.oe2403sp3.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2867"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-56209"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-56210"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-56211"}],"database_specific":{"severity":"High"}}
