CVE-2026-56210

HIGH
Published June 19, 2026

A heap-buffer-overflow read vulnerability was found in libaom, the reference AV1 codec implementation. A missing bounds check in the SVC (Scalable Video Coding) layer ID control function allows setting a spatial_layer_id exceeding the configured number of layers. This causes an out-of-bounds heap...

Full CISO analysis pending enrichment.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
vLLM pip No patch
84.6K 130 dependents Pushed 5d ago 23% patched ~51d to patch Full package profile →
vLLM pip No patch
84.6K 130 dependents Pushed 5d ago 23% patched ~51d to patch Full package profile →
vLLM pip No patch
84.6K 130 dependents Pushed 5d ago 23% patched ~51d to patch Full package profile →
vLLM pip No patch
84.6K 130 dependents Pushed 5d ago 23% patched ~51d to patch Full package profile →
vLLM pip No patch
84.6K 130 dependents Pushed 5d ago 23% patched ~51d to patch Full package profile →
vLLM pip No patch
84.6K 130 dependents Pushed 5d ago 23% patched ~51d to patch Full package profile →
vLLM pip No patch
84.6K 130 dependents Pushed 5d ago 23% patched ~51d to patch Full package profile →
vLLM pip No patch
84.6K 130 dependents Pushed 5d ago 23% patched ~51d to patch Full package profile →
vLLM pip No patch
84.6K 130 dependents Pushed 5d ago 23% patched ~51d to patch Full package profile →
vLLM pip No patch
84.6K 130 dependents Pushed 5d ago 23% patched ~51d to patch Full package profile →
vLLM pip No patch
84.6K 130 dependents Pushed 5d ago 23% patched ~51d to patch Full package profile →
vLLM pip No patch
84.6K 130 dependents Pushed 5d ago 23% patched ~51d to patch Full package profile →
vLLM pip No patch
84.6K 130 dependents Pushed 5d ago 23% patched ~51d to patch Full package profile →
aom No patch
aom-main No patch
firefox No patch
rhai/base-image-cpu-rhel9 No patch
rhai/base-image-cuda-12.9-rhel9 No patch
rhai/base-image-cuda-13.0-rhel9 No patch
rhai/base-image-gaudi-rhel9 No patch
rhai/base-image-neuron-rhel9 No patch
rhai/base-image-rocm-6.4-rhel9 No patch
rhai/base-image-rocm-7.0-rhel9 No patch
rhai/base-image-rocm-7.1-rhel9 No patch
rhai/base-image-spyre-rhel9 No patch
rhai/base-image-tpu-rhel9 No patch
rhaii/model-opt-cuda-rhel9 No patch
rhaiis/model-opt-cuda-rhel9 No patch
rhoai/odh-automl-rhel9 No patch
rhoai/odh-autorag-rhel9 No patch
rhoai/odh-kserve-autogluon-server-rhel9 No patch
rhoai/odh-llama-stack-core-rhel9 No patch
rhoai/odh-llm-d-kv-cache-rhel9 No patch
rhoai/odh-mlserver-rhel9 No patch
rhoai/odh-spark-operator-rhel9 No patch
rhoai/odh-th06-cpu-torch210-py312-rhel9 No patch
rhoai/odh-th06-cpu-torch291-py312-rhel9 No patch
rhoai/odh-th06-cuda130-torch210-py312-rhel9 No patch
rhoai/odh-th06-cuda130-torch291-py312-rhel9 No patch
rhoai/odh-th06-rocm64-torch291-py312-rhel9 No patch
rhoai/odh-trustyai-garak-lls-provider-dsp-rhel9 No patch
rhoai/odh-workbench-codeserver-datascience-cpu-py312-rhel9 No patch
rhoai/odh-workbench-jupyter-datascience-cpu-py312-rhel9 No patch
rhoai/odh-workbench-jupyter-minimal-cpu-py312-rhel9 No patch
rhoai/odh-workbench-jupyter-minimal-cuda-py312-rhel9 No patch
rhoai/odh-workbench-jupyter-minimal-rocm-py312-rhel9 No patch
rhoai/odh-workbench-jupyter-pytorch-llmcompressor-cuda-py312-rhel9 No patch
thunderbird No patch

How severe is it?

CVSS 3.1
7.1 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
N/A

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI Required
S Unchanged
C Low
I None
A High

What should I do?

No patch available

Monitor for updates. Consider compensating controls or temporary mitigations.

Which compliance frameworks are affected?

Compliance analysis pending. Sign in for full compliance mapping when available.

Frequently Asked Questions

What is CVE-2026-56210?

A heap-buffer-overflow read vulnerability was found in libaom, the reference AV1 codec implementation. A missing bounds check in the SVC (Scalable Video Coding) layer ID control function allows setting a spatial_layer_id exceeding the configured number of layers. This causes an out-of-bounds heap read of approximately 40,728 bytes when computing a layer context array index. An attacker who can influence SVC encoder parameters in a network-facing service could exploit this for information disclosure (heap content leak) or denial of service (segmentation fault from hitting unmapped memory).

Is CVE-2026-56210 actively exploited?

No confirmed active exploitation of CVE-2026-56210 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-56210?

No patch is currently available. Monitor vendor advisories for updates.

What is the CVSS score for CVE-2026-56210?

CVE-2026-56210 has a CVSS v3.1 base score of 7.1 (HIGH).

What are the technical details?

Original Advisory

A heap-buffer-overflow read vulnerability was found in libaom, the reference AV1 codec implementation. A missing bounds check in the SVC (Scalable Video Coding) layer ID control function allows setting a spatial_layer_id exceeding the configured number of layers. This causes an out-of-bounds heap read of approximately 40,728 bytes when computing a layer context array index. An attacker who can influence SVC encoder parameters in a network-facing service could exploit this for information disclosure (heap content leak) or denial of service (segmentation fault from hitting unmapped memory).

Weaknesses (CWE)

CWE-125 — Out-of-bounds Read: The product reads data past the end, or before the beginning, of the intended buffer.

  • [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
  • [Architecture and Design] Use a language that provides appropriate memory abstractions.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H

Timeline

Published
June 19, 2026
Last Modified
July 3, 2026
First Seen
July 3, 2026

Related Vulnerabilities