HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-56209Published Modified CNA redhat

CVE-2026-56209: Libaom: libaom: arbitrary address write via svc layer context oob and cyclic refresh map pointer hijack

An arbitrary address write vulnerability was found in libaom, the reference AV1 codec implementation. A missing bounds check in the SVC (Scalable Video Coding) layer ID control function allows an attacker to inject an arbitrary pointer into the cyclic refresh map field via crafted image pixel values. The encoder then writes approximately 1,200 bytes at the attacker-controlled address. This is fully deterministic and does not require a separate information leak. An attacker who can supply frames to a network-facing libaom encoder with SVC enabled could exploit this for denial of service or potential code execution.

Metrics

CVSS v3.1
7.1
Severity
HIGH
Fixed in
Affected Products
6

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An arbitrary address write vulnerability exists in libaom, the reference AV1 codec library. The flaw is reachable over the network with no authentication required, exploitable by supplying crafted AV1-encoded frames to a network-facing encoder with Scalable Video Coding (SVC) enabled; a missing bounds check lets the attacker inject a pointer into the cyclic refresh map field, after which the encoder writes roughly 1,200 bytes at that attacker-controlled address. Successful exploitation causes denial of service or enables code execution. No fix version has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix lands.

HarborGuard Coverage

Detection

Detection of CVE-2026-56209 is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including the Red Hat advisory stream) within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle libaom directly or via an OS package layer.

Available
Triage

HarborGuard is capable of scoring this CVE at its published CVSS v3.1 rating of 9.1 (Critical) and weighting it against each environment's compliance policy to determine urgency and routing; alerts are dispatched to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks the Red Hat advisory and upstream libaom release channels on every ingest cycle; the moment a patched release is available, a rebuilt image at that version becomes available automatically, and customers with auto-remediation enabled will receive a regression-test run and a PR opened against affected workloads without manual intervention.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to deliver crafted AV1 frames to a network-exposed libaom encoder, making over-the-network reachability a prerequisite.

  • AuthenticationNot required

    The CVSS vector specifies PR:N, meaning no account or credential of any privilege level is needed to supply malicious frames.

  • Victim interactionNot required

    The CVSS vector specifies UI:N; exploitation is fully automated once the attacker can submit frames and requires no action from a user or operator.

  • Attack complexityDetail

    The CVSS vector specifies AC:L; the exploit is fully deterministic, requires no information leak, and imposes no race-condition or memory-layout constraints on the attacker.

Blast Radius

  • Writes approximately 1,200 bytes to an attacker-chosen memory address inside the encoding process, corrupting heap or stack data at that location.
  • Crashes the libaom encoder process, disrupting any service that depends on AV1 encoding (denial of service).
  • With a suitable target address, overwrites function pointers or control structures in a way that redirects execution to attacker-supplied code (remote code execution within the process).
  • The CVSS confidentiality score is N, so direct data disclosure is not part of this exploit path; impact is limited to integrity corruption and availability loss.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix for CVE-2026-56209 has been published, the platform monitors the Red Hat advisory and upstream libaom release channels on every ingest cycle and will make a patched-image rebuild available automatically when an upstream fix appears. In the meantime, customers can apply compensating controls through HarborGuard policy: network-policy isolation to restrict which workloads are permitted to accept external AV1 frame input, egress filtering to reduce the encoder's blast radius if it is compromised, and feature-flag or deployment-config changes to disable SVC mode in libaom encoders where that feature is not operationally required. For customers with auto-remediation enabled, the moment a fix version is published the platform will trigger a rebuild, run the configured regression suite, and open a PR against affected workloads; given the Critical (9.1) severity, this issue is prioritized in the high-severity queue where median time from CVE publication to merged patch PR is around 90 minutes for environments with auto-remediation enabled.

See how HarborGuard automates this
Affected packages
  • Red Hat / Red Hat Enterprise Linux 10
  • Red Hat / Red Hat Enterprise Linux 10
  • Red Hat / Red Hat Enterprise Linux 9
  • Red Hat / Red Hat Enterprise Linux 9
  • Red Hat / Red Hat Enterprise Linux AI (RHEL AI) 3
  • Red Hat / Red Hat Hardened Images
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
References