{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-56208", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2026-06-19T15:50:16.801Z", "datePublished": "2026-06-19T16:28:26.466Z", "dateUpdated": "2026-06-29T00:06:34.566Z"}, "containers": {"cna": {"title": "Libaom: libaom: heap buffer overflow in av1 encoder first-pass stats buffer via lap mode", "metrics": [{"other": {"content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A heap buffer overflow vulnerability was found in libaom, the reference AV1 codec implementation. A flaw in the AV1 encoder's Look-Ahead Processing (LAP) mode causes the first-pass stats ring buffer wrap-around guard to be bypassed when g_lag_in_frames is set to 1 or higher. This results in a 232-byte out-of-bounds write on every encoded frame after the second, corrupting adjacent heap objects. An attacker who can influence encoder configuration in a transcoding service or WebRTC session could exploit this to cause a denial of service (process crash) or potentially achieve code execution."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat Hardened Images", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "aom-main", "defaultStatus": "affected", "versions": [{"version": "3.14.0-0.1.hum1", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:hummingbird:1"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 10", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "firefox", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:10"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 10", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "thunderbird", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:10"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "firefox", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:9"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "thunderbird", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:9"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux AI (RHEL AI) 3", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "aom", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:enterprise_linux_ai:3"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2026:30814", "name": "RHSA-2026:30814", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2026-56208", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://aomedia.googlesource.com/aom/+/243f8ae84b"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2490799", "name": "RHBZ#2490799", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://issues.chromium.org/issues/504317456"}], "datePublic": "2026-06-19T00:00:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-122", "description": "Heap-based Buffer Overflow", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-122: Heap-based Buffer Overflow", "workarounds": [{"lang": "en", "value": "There is no complete mitigation for this vulnerability. The following measures can reduce risk:\n\n1. If using libaom as a standalone encoder library, avoid setting g_lag_in_frames to values >= 1 when processing untrusted input, or validate all encoder configuration parameters before passing them to the libaom API.\n2. For Firefox and Thunderbird, ensure browsers are updated to versions that include the patched libaom (v3.14.0 or later).\n3. For standalone libaom deployments (RHEL-AI, Hummingbird), restrict access to the encoding service to trusted clients only.\n4. Apply network-level access controls to limit who can submit video for encoding."}], "timeline": [{"lang": "en", "time": "2026-06-19T00:00:00.000Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-06-19T00:00:00.000Z", "value": "Made public."}], "credits": [{"lang": "en", "value": "Red Hat would like to thank The FuzzAnything Team (FuzzAnything) for reporting this issue."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-06-29T00:06:34.566Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-25T03:55:29.788406Z", "id": "CVE-2026-56208", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-25T13:47:21.579Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-56208", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-06-25T03:55:29.788406Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-22T14:19:29.929Z"}}], "cna": {"title": "Libaom: libaom: heap buffer overflow in av1 encoder first-pass stats buffer via lap mode", "credits": [{"lang": "en", "value": "Red Hat would like to thank The FuzzAnything Team (FuzzAnything) for reporting this issue."}], "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"cpes": ["cpe:/a:redhat:hummingbird:1"], "vendor": "Red Hat", "product": "Red Hat Hardened Images", "versions": [{"status": "unaffected", "version": "3.14.0-0.1.hum1", "lessThan": "*", "versionType": "rpm"}], "packageName": "aom-main", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:10"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 10", "packageName": "firefox", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:10"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 10", "packageName": "thunderbird", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:9"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "packageName": "firefox", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:9"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "packageName": "thunderbird", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:enterprise_linux_ai:3"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux AI (RHEL AI) 3", "packageName": "aom", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}], "timeline": [{"lang": "en", "time": "2026-06-19T00:00:00.000Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-06-19T00:00:00.000Z", "value": "Made public."}], "datePublic": "2026-06-19T00:00:00.000Z", "references": [{"url": "https://access.redhat.com/errata/RHSA-2026:30814", "name": "RHSA-2026:30814", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2026-56208", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://aomedia.googlesource.com/aom/+/243f8ae84b"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2490799", "name": "RHBZ#2490799", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://issues.chromium.org/issues/504317456"}], "workarounds": [{"lang": "en", "value": "There is no complete mitigation for this vulnerability. The following measures can reduce risk:\n\n1. If using libaom as a standalone encoder library, avoid setting g_lag_in_frames to values >= 1 when processing untrusted input, or validate all encoder configuration parameters before passing them to the libaom API.\n2. For Firefox and Thunderbird, ensure browsers are updated to versions that include the patched libaom (v3.14.0 or later).\n3. For standalone libaom deployments (RHEL-AI, Hummingbird), restrict access to the encoding service to trusted clients only.\n4. Apply network-level access controls to limit who can submit video for encoding."}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "A heap buffer overflow vulnerability was found in libaom, the reference AV1 codec implementation. A flaw in the AV1 encoder's Look-Ahead Processing (LAP) mode causes the first-pass stats ring buffer wrap-around guard to be bypassed when g_lag_in_frames is set to 1 or higher. This results in a 232-byte out-of-bounds write on every encoded frame after the second, corrupting adjacent heap objects. An attacker who can influence encoder configuration in a transcoding service or WebRTC session could exploit this to cause a denial of service (process crash) or potentially achieve code execution."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-122", "description": "Heap-based Buffer Overflow"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-06-29T00:06:34.566Z"}, "x_redhatCweChain": "CWE-122: Heap-based Buffer Overflow"}}, "cveMetadata": {"cveId": "CVE-2026-56208", "state": "PUBLISHED", "dateUpdated": "2026-06-29T00:06:34.566Z", "dateReserved": "2026-06-19T15:50:16.801Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2026-06-19T16:28:26.466Z", "assignerShortName": "redhat"}, "dataVersion": "5.2"}

{}

{"acknowledgement": "Red Hat would like to thank The FuzzAnything Team (FuzzAnything) for reporting this issue.", "bugzilla": {"description": "libaom: libaom: heap buffer overflow in AV1 encoder first-pass stats buffer via LAP mode", "id": "2490799", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2490799"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.6", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H", "status": "draft"}, "cwe": "CWE-122", "details": ["A heap buffer overflow vulnerability was found in libaom, the reference AV1 codec implementation. A flaw in the AV1 encoder's Look-Ahead Processing (LAP) mode causes the first-pass stats ring buffer wrap-around guard to be bypassed when g_lag_in_frames is set to 1 or higher. This results in a 232-byte out-of-bounds write on every encoded frame after the second, corrupting adjacent heap objects. An attacker who can influence encoder configuration in a transcoding service or WebRTC session could exploit this to cause a denial of service (process crash) or potentially achieve code execution."], "mitigation": {"lang": "en:us", "value": "There is no complete mitigation for this vulnerability. The following measures can reduce risk:\n1. If using libaom as a standalone encoder library, avoid setting g_lag_in_frames to values >= 1 when processing untrusted input, or validate all encoder configuration parameters before passing them to the libaom API.\n2. For Firefox and Thunderbird, ensure browsers are updated to versions that include the patched libaom (v3.14.0 or later).\n3. For standalone libaom deployments (RHEL-AI, Hummingbird), restrict access to the encoding service to trusted clients only.\n4. Apply network-level access controls to limit who can submit video for encoding."}, "name": "CVE-2026-56208", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "aom", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:hummingbird:1", "fix_state": "Affected", "package_name": "aom", "product_name": "Red Hat Hardened Images"}], "public_date": "2026-06-19T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-56208\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-56208\nhttps://aomedia.googlesource.com/aom/+/243f8ae84b\nhttps://issues.chromium.org/issues/504317456"], "statement": "This vulnerability is rated as Important severity because a heap buffer overflow with attacker-influenced data can cause reliable denial of service and potentially lead to code execution, though the attacker has only indirect control over the written values (encoder-computed statistics). In Red Hat products, libaom ships bundled within Firefox and Thunderbird as a statically-linked dependency used for AV1 decoding and WebRTC encoding. The vulnerable code path requires the encoder to be configured with g_lag_in_frames >= 1 (Look-Ahead Processing mode). In Firefox's WebRTC implementation, the encoder configuration is controlled by the browser itself and not exposed to remote peers, which significantly limits the attack surface compared to standalone transcoding services. RHEL-AI 3.4 and Hummingbird 1 ship standalone libaom (aom) packages at versions within the affected range. Applications on those platforms that use the libaom encoder API with LAP mode and accept untrusted configuration input are vulnerable.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": null}], "product": "libaom", "vendor": "aomedia"}, {"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Red Hat Enterprise Linux 10", "source": "cna", "vendor": "Red Hat"}, "product": "enterprise_linux", "vendor": "redhat"}, {"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Red Hat Enterprise Linux AI (RHEL AI) 3", "source": "cna", "vendor": "Red Hat"}, "product": "enterprise_linux_ai", "vendor": "redhat"}, {"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 83.0, "confidence_source": "matching", "scores": [{"score": 83.0, "source": "matching"}]}, "original": {"product": "Red Hat Hardened Images", "source": "cna", "vendor": "Red Hat"}, "product": "hardened_images", "vendor": "redhat"}], "created": "2026-06-19T21:00:04.918702+00:00", "updated": "2026-06-24T20:41:43.522995+00:00", "vendors": ["aomedia", "aomedia$PRODUCT$libaom", "redhat", "redhat$PRODUCT$enterprise_linux", "redhat$PRODUCT$enterprise_linux_ai", "redhat$PRODUCT$hardened_images"]}