OESA-2026-2865

Source
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2026-2865
Import Source
https://repo.openeuler.org/security/data/osv/OESA-2026-2865.json
JSON Data
https://api.osv.dev/v1/vulns/OESA-2026-2865
Upstream
  • CVE-2026-56209
  • CVE-2026-56210
  • CVE-2026-56211
Published
2026-07-06T06:29:24Z
Modified
2026-07-06T06:45:13.874952039Z
Summary
aom security update
Details

The Alliance for Open Media’s focus is to deliver a next-generation video format that is:

Security Fix(es):

An arbitrary address write vulnerability was found in libaom, the reference AV1 codec implementation. A missing bounds check in the SVC (Scalable Video Coding) layer ID control function allows an attacker to inject an arbitrary pointer into the cyclic refresh map field via crafted image pixel values. The encoder then writes approximately 1,200 bytes at the attacker-controlled address. This is fully deterministic and does not require a separate information leak. An attacker who can supply frames to a network-facing libaom encoder with SVC enabled could exploit this for denial of service or potential code execution.(CVE-2026-56209)

A heap-buffer-overflow read vulnerability was found in libaom, the reference AV1 codec implementation. A missing bounds check in the SVC (Scalable Video Coding) layer ID control function allows setting a spatiallayerid exceeding the configured number of layers. This causes an out-of-bounds heap read of approximately 40,728 bytes when computing a layer context array index. An attacker who can influence SVC encoder parameters in a network-facing service could exploit this for information disclosure (heap content leak) or denial of service (segmentation fault from hitting unmapped memory).(CVE-2026-56210)

A remote code execution vulnerability was found in libaom, the reference AV1 codec implementation. Insufficient bounds validation in the AV1 encoder's SVC (Scalable Video Coding) layer ID control allows an attacker to supply crafted video frame pixels that overlap with internal encoder layer context structures. In fork-based video processing services, an attacker can use this to hijack the cyclic refresh map pointer, brute-force the process base address via a crash oracle, and redirect control flow to achieve arbitrary command execution. Exploitation requires the target service to use libaom with SVC encoding enabled and accept attacker-supplied video frames.(CVE-2026-56211)

Database specific
{
    "severity": "High"
}
References

Affected packages

openEuler:22.03-LTS-SP4 / aom

Package

Name
aom
Purl
pkg:rpm/openEuler/aom&distro=openEuler-22.03-LTS-SP4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.0.0-3.oe2203sp4

Ecosystem specific

{
    "x86_64": [
        "aom-1.0.0-3.oe2203sp4.x86_64.rpm",
        "aom-debuginfo-1.0.0-3.oe2203sp4.x86_64.rpm",
        "aom-debugsource-1.0.0-3.oe2203sp4.x86_64.rpm",
        "libaom-1.0.0-3.oe2203sp4.x86_64.rpm",
        "libaom-devel-1.0.0-3.oe2203sp4.x86_64.rpm"
    ],
    "aarch64": [
        "aom-1.0.0-3.oe2203sp4.aarch64.rpm",
        "aom-debuginfo-1.0.0-3.oe2203sp4.aarch64.rpm",
        "aom-debugsource-1.0.0-3.oe2203sp4.aarch64.rpm",
        "libaom-1.0.0-3.oe2203sp4.aarch64.rpm",
        "libaom-devel-1.0.0-3.oe2203sp4.aarch64.rpm"
    ],
    "src": [
        "aom-1.0.0-3.oe2203sp4.src.rpm"
    ]
}

Database specific

source
"https://repo.openeuler.org/security/data/osv/OESA-2026-2865.json"