Search
Search Results (19 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-56211 | 2 Aomedia, Redhat | 5 Libaom, Enterprise Linux, Enterprise Linux Ai and 2 more | 2026-06-25 | 7.1 High |
| A remote code execution vulnerability was found in libaom, the reference AV1 codec implementation. Insufficient bounds validation in the AV1 encoder's SVC (Scalable Video Coding) layer ID control allows an attacker to supply crafted video frame pixels that overlap with internal encoder layer context structures. In fork-based video processing services, an attacker can use this to hijack the cyclic refresh map pointer, brute-force the process base address via a crash oracle, and redirect control flow to achieve arbitrary command execution. Exploitation requires the target service to use libaom with SVC encoding enabled and accept attacker-supplied video frames. | ||||
| CVE-2026-56208 | 2 Aomedia, Redhat | 5 Libaom, Enterprise Linux, Enterprise Linux Ai and 2 more | 2026-06-25 | 7.6 High |
| A heap buffer overflow vulnerability was found in libaom, the reference AV1 codec implementation. A flaw in the AV1 encoder's Look-Ahead Processing (LAP) mode causes the first-pass stats ring buffer wrap-around guard to be bypassed when g_lag_in_frames is set to 1 or higher. This results in a 232-byte out-of-bounds write on every encoded frame after the second, corrupting adjacent heap objects. An attacker who can influence encoder configuration in a transcoding service or WebRTC session could exploit this to cause a denial of service (process crash) or potentially achieve code execution. | ||||
| CVE-2026-56209 | 2 Aomedia, Redhat | 5 Libaom, Enterprise Linux, Enterprise Linux Ai and 2 more | 2026-06-24 | 7.1 High |
| An arbitrary address write vulnerability was found in libaom, the reference AV1 codec implementation. A missing bounds check in the SVC (Scalable Video Coding) layer ID control function allows an attacker to inject an arbitrary pointer into the cyclic refresh map field via crafted image pixel values. The encoder then writes approximately 1,200 bytes at the attacker-controlled address. This is fully deterministic and does not require a separate information leak. An attacker who can supply frames to a network-facing libaom encoder with SVC enabled could exploit this for denial of service or potential code execution. | ||||
| CVE-2026-56210 | 2 Aomedia, Redhat | 5 Libaom, Enterprise Linux, Enterprise Linux Ai and 2 more | 2026-06-24 | 7.1 High |
| A heap-buffer-overflow read vulnerability was found in libaom, the reference AV1 codec implementation. A missing bounds check in the SVC (Scalable Video Coding) layer ID control function allows setting a spatial_layer_id exceeding the configured number of layers. This causes an out-of-bounds heap read of approximately 40,728 bytes when computing a layer context array index. An attacker who can influence SVC encoder parameters in a network-facing service could exploit this for information disclosure (heap content leak) or denial of service (segmentation fault from hitting unmapped memory). | ||||
| CVE-2023-6879 | 2 Aomedia, Fedoraproject | 2 Aomedia, Fedora | 2026-06-23 | 9 Critical |
| Increasing the resolution of video frames, while performing a multi-threaded encode, can result in a heap overflow in av1_loop_restoration_dealloc(). | ||||
| CVE-2025-48175 | 1 Aomedia | 1 Libavif | 2025-11-03 | 4.5 Medium |
| In libavif before 1.3.0, avifImageRGBToYUV in reformat.c has integer overflows in multiplications involving rgbRowBytes, yRowBytes, uRowBytes, and vRowBytes. | ||||
| CVE-2025-48174 | 1 Aomedia | 1 Libavif | 2025-11-03 | 4.5 Medium |
| In libavif before 1.3.0, makeRoom in stream.c has an integer overflow and resultant buffer overflow in stream->offset+size. | ||||
| CVE-2024-5171 | 1 Aomedia | 1 Libaom | 2025-02-13 | 9.8 Critical |
| Integer overflow in libaom internal function img_alloc_helper can lead to heap buffer overflow. This function can be reached via 3 callers: * Calling aom_img_alloc() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned aom_image_t struct may be invalid. * Calling aom_img_wrap() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned aom_image_t struct may be invalid. * Calling aom_img_alloc_with_border() with a large value of the d_w, d_h, align, size_align, or border parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned aom_image_t struct may be invalid. | ||||
| CVE-2023-39616 | 1 Aomedia | 1 Aomedia | 2024-11-21 | 7.5 High |
| AOMedia v3.0.0 to v3.5.0 was discovered to contain an invalid read memory access via the component assign_frame_buffer_p in av1/common/av1_common_int.h. | ||||
| CVE-2021-30475 | 2 Aomedia, Fedoraproject | 2 Aomedia, Fedora | 2024-11-21 | 9.8 Critical |
| aom_dsp/noise_model.c in libaom in AOMedia before 2021-03-24 has a buffer overflow. | ||||
| CVE-2021-30474 | 1 Aomedia | 1 Aomedia | 2024-11-21 | 9.8 Critical |
| aom_dsp/grain_table.c in libaom in AOMedia before 2021-03-30 has a use-after-free. | ||||
| CVE-2021-30473 | 2 Aomedia, Fedoraproject | 2 Aomedia, Fedora | 2024-11-21 | 9.8 Critical |
| aom_image.c in libaom in AOMedia before 2021-04-07 frees memory that is not located on the heap. | ||||
| CVE-2020-36407 | 2 Aomedia, Linux | 2 Libavif, Linux Kernel | 2024-11-21 | 8.8 High |
| libavif 0.8.0 and 0.8.1 has an out-of-bounds write in avifDecoderDataFillImageGrid. | ||||
| CVE-2020-36135 | 1 Aomedia | 1 Aomedia | 2024-11-21 | 6.5 Medium |
| AOM v2.0.1 was discovered to contain a NULL pointer dereference via the component rate_hist.c. | ||||
| CVE-2020-36134 | 1 Aomedia | 1 Aomedia | 2024-11-21 | 6.5 Medium |
| AOM v2.0.1 was discovered to contain a segmentation violation via the component aom_dsp/x86/obmc_sad_avx2.c. | ||||
| CVE-2020-36133 | 1 Aomedia | 1 Aomedia | 2024-11-21 | 8.8 High |
| AOM v2.0.1 was discovered to contain a global buffer overflow via the component av1/encoder/partition_search.h. | ||||
| CVE-2020-36131 | 1 Aomedia | 1 Aomedia | 2024-11-21 | 8.8 High |
| AOM v2.0.1 was discovered to contain a stack buffer overflow via the component stats/rate_hist.c. | ||||
| CVE-2020-36130 | 1 Aomedia | 1 Aomedia | 2024-11-21 | 6.5 Medium |
| AOM v2.0.1 was discovered to contain a NULL pointer dereference via the component av1/av1_dx_iface.c. | ||||
| CVE-2020-36129 | 1 Aomedia | 1 Aomedia | 2024-11-21 | 8.8 High |
| AOM v2.0.1 was discovered to contain a stack buffer overflow via the component src/aom_image.c. | ||||
Page 1 of 1.