CVE-2026-12706: vLLM UAF — MEDIUM

CISO Take

A use-after-free vulnerability (CWE-416) in FFmpeg's RASC video decoder allows any attacker who can deliver a crafted AVI file to crash the decoding process, resulting in a denial of service. The primary AI concern is FFmpeg's direct presence in Red Hat AI (rhelai3) CUDA and ROCm bootc images for AWS, Azure, and GCP, as well as OpenShift AI components including the OpenVINO model server and vLLM Gaudi inference server — any multimodal inference node built on these images that processes user-supplied video is exposed. With no public exploit, no KEV listing, and impact strictly limited to availability (CVSS 6.5, A:H only), immediate exploitation likelihood is low; however, FFmpeg's 130 downstream dependents and 62 prior CVEs in the same package make it a persistent attack surface embedded across AI infrastructure. Audit rhelai3 and RHOAI container images for FFmpeg inclusion, apply the upstream patch when released, and restrict multimedia file ingestion in AI pipelines to trusted pre-validated sources.

Sources: NVD ATLAS Red Hat Security Advisory (access.redhat.com) Red Hat Bugzilla (bugzilla.redhat.com) FFmpeg mailing list (lists.ffmpeg.org) FFmpeg patchwork (patchwork.ffmpeg.org)

What is the risk?

Medium risk overall. CVSS 6.5 with AV:N/AC:L/PR:N/UI:R correctly reflects a network-reachable, low-complexity attack requiring a user or automated process to open a malicious file. There is no confidentiality or integrity impact — pure availability loss. In AI infrastructure contexts, the risk escalates when multimedia processing is part of an inference pipeline or data ingestion workflow: a single crafted AVI can crash a vLLM or OpenVINO model server container, interrupting inference availability for all users. No EPSS data, no active exploitation evidence, and no public proof-of-concept lower the immediate threat level. The broad inclusion of FFmpeg in Red Hat AI container images elevates the blast radius beyond a typical multimedia library CVE.

How does the attack unfold?

Malicious File Delivery

Attacker crafts an AVI file embedding a malicious RASC video stream and delivers it to a target AI system or user that processes video input.

AML.T0011

Decoder Invocation

The AI inference pipeline or multimodal preprocessing layer invokes FFmpeg's RASC decoder to process the supplied AVI file.

Use-After-Free Triggered

decode_move() initialises a read pointer into the decompressed buffer; move-table processing reallocates the buffer, freeing the backing memory and leaving the pointer dangling; the next read accesses freed heap.

Inference Node DoS

FFmpeg crashes, taking the AI inference container (vLLM, OpenVINO, or other model server) offline and disrupting AI service availability for all downstream consumers.

AML.T0029

Malicious File Delivery

Attacker crafts an AVI file embedding a malicious RASC video stream and delivers it to a target AI system or user that processes video input.

AML.T0011

Decoder Invocation

The AI inference pipeline or multimodal preprocessing layer invokes FFmpeg's RASC decoder to process the supplied AVI file.

Use-After-Free Triggered

decode_move() initialises a read pointer into the decompressed buffer; move-table processing reallocates the buffer, freeing the backing memory and leaving the pointer dangling; the next read accesses freed heap.

Inference Node DoS

FFmpeg crashes, taking the AI inference container (vLLM, OpenVINO, or other model server) offline and disrupting AI service availability for all downstream consumers.

AML.T0029

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
vLLM	pip	—	No patch
82.8K 130 dependents Pushed 5d ago 35% patched ~30d to patch Full package profile →
ffmpeg	—	—	No patch
nv-codec-headers	—	—	No patch
rhelai3/bootc-aws-cuda-rhel9	—	—	No patch
rhelai3/bootc-azure-cuda-rhel9	—	—	No patch
rhelai3/bootc-azure-rocm-rhel9	—	—	No patch
rhelai3/bootc-cuda-rhel9	—	—	No patch
rhelai3/bootc-gcp-cuda-rhel9	—	—	No patch
rhelai3/bootc-rocm-rhel9	—	—	No patch
rhoai/odh-openvino-model-server-rhel9	—	—	No patch

How severe is it?

CVSS 3.1

6.5 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR None

UI Required

S Unchanged

C None

I None

A High

What should I do?

5 steps

Patch: Monitor https://ffmpeg.org/security.html and Red Hat CVE advisories for the patched FFmpeg build; rebuild affected rhelai3 and RHOAI container images immediately upon availability.
Disable unused codec: If RASC video support is not required, recompile FFmpeg with --disable-decoder=rasc to eliminate the vulnerable code path entirely.
Input validation: Restrict AI pipelines to trusted, pre-validated video sources; reject AVI files from untrusted users before handing off to any FFmpeg-backed decoder.
Container hardening: Pin container image versions and implement image scanning (e.g., Trivy, Grype) in CI/CD to catch vulnerable FFmpeg packages before deployment.
Detection: Monitor AI inference node process crash logs and container restart events; sudden unexplained crashes of vLLM or OpenVINO containers after processing external video input are a candidate indicator of exploitation attempts.

How is it classified?

DoS Supply Chain Inference Framework AML.T0010.001 - AI Software AML.T0011 - User Execution AML.T0029 - Denial of AI Service

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

A.6.2.6 - AI system availability and resilience

NIST AI RMF

MANAGE 2.2 - Mechanisms for tracking AI risk

OWASP LLM Top 10

LLM05:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-12706?

A use-after-free vulnerability (CWE-416) in FFmpeg's RASC video decoder allows any attacker who can deliver a crafted AVI file to crash the decoding process, resulting in a denial of service. The primary AI concern is FFmpeg's direct presence in Red Hat AI (rhelai3) CUDA and ROCm bootc images for AWS, Azure, and GCP, as well as OpenShift AI components including the OpenVINO model server and vLLM Gaudi inference server — any multimodal inference node built on these images that processes user-supplied video is exposed. With no public exploit, no KEV listing, and impact strictly limited to availability (CVSS 6.5, A:H only), immediate exploitation likelihood is low; however, FFmpeg's 130 downstream dependents and 62 prior CVEs in the same package make it a persistent attack surface embedded across AI infrastructure. Audit rhelai3 and RHOAI container images for FFmpeg inclusion, apply the upstream patch when released, and restrict multimedia file ingestion in AI pipelines to trusted pre-validated sources.

Is CVE-2026-12706 actively exploited?

No confirmed active exploitation of CVE-2026-12706 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-12706?

1. Patch: Monitor https://ffmpeg.org/security.html and Red Hat CVE advisories for the patched FFmpeg build; rebuild affected rhelai3 and RHOAI container images immediately upon availability. 2. Disable unused codec: If RASC video support is not required, recompile FFmpeg with --disable-decoder=rasc to eliminate the vulnerable code path entirely. 3. Input validation: Restrict AI pipelines to trusted, pre-validated video sources; reject AVI files from untrusted users before handing off to any FFmpeg-backed decoder. 4. Container hardening: Pin container image versions and implement image scanning (e.g., Trivy, Grype) in CI/CD to catch vulnerable FFmpeg packages before deployment. 5. Detection: Monitor AI inference node process crash logs and container restart events; sudden unexplained crashes of vLLM or OpenVINO containers after processing external video input are a candidate indicator of exploitation attempts.

What systems are affected by CVE-2026-12706?

This vulnerability affects the following AI/ML architecture patterns: model serving, LLM inference infrastructure, multimodal AI pipelines, containerised AI workloads.

What is the CVSS score for CVE-2026-12706?

CVE-2026-12706 has a CVSS v3.1 base score of 6.5 (MEDIUM).

What is the AI security impact?

Affected AI Architectures

model servingLLM inference infrastructuremultimodal AI pipelinescontainerised AI workloads

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0011 User Execution

AML.T0029 Denial of AI Service

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.6.2.6

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

A use-after-free vulnerability was found in FFmpeg's RASC video decoder. The decode_move() function initializes a read pointer into a decompressed buffer, but a subsequent reallocation of that same buffer during move-table processing leaves the pointer dangling. An attacker could exploit this by providing a specially crafted AVI file containing a malicious RASC video stream. When a user opens or plays the file, the decoder reads from freed heap memory, which could lead to a denial of service (crash).

Exploitation Scenario

An adversary targeting a multimodal AI inference service — for example, a vLLM Gaudi endpoint that accepts video uploads for visual question answering — uploads a specially crafted AVI file containing a malicious RASC video stream. The inference pipeline invokes FFmpeg to decode the video as a preprocessing step. Inside the RASC decoder, decode_move() initialises a read pointer into the decompressed buffer; a subsequent reallocation during move-table processing frees and reallocates that buffer, leaving the pointer dangling. When the decoder performs the next read through the stale pointer, it accesses freed heap memory, triggering a crash of the FFmpeg worker process and taking the inference node offline. From the attacker's perspective this is a trivially repeatable targeted DoS requiring only the ability to submit a file to the AI service.

Weaknesses (CWE)

CWE-416 Use After Free

CWE-416 — Use After Free: The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

[Architecture and Design] Choose a language that provides automatic memory management.
[Implementation] When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.

Source: MITRE CWE corpus.