CVE-2026-56211

HIGH
Published June 19, 2026

A remote code execution vulnerability was found in libaom, the reference AV1 codec implementation. Insufficient bounds validation in the AV1 encoder's SVC (Scalable Video Coding) layer ID control allows an attacker to supply crafted video frame pixels that overlap with internal encoder layer...

Full CISO analysis pending enrichment.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
vLLM pip No patch
84.6K 130 dependents Pushed 5d ago 23% patched ~51d to patch Full package profile →
vLLM pip No patch
84.6K 130 dependents Pushed 5d ago 23% patched ~51d to patch Full package profile →
vLLM pip No patch
84.6K 130 dependents Pushed 5d ago 23% patched ~51d to patch Full package profile →
vLLM pip No patch
84.6K 130 dependents Pushed 5d ago 23% patched ~51d to patch Full package profile →
vLLM pip No patch
84.6K 130 dependents Pushed 5d ago 23% patched ~51d to patch Full package profile →
vLLM pip No patch
84.6K 130 dependents Pushed 5d ago 23% patched ~51d to patch Full package profile →
vLLM pip No patch
84.6K 130 dependents Pushed 5d ago 23% patched ~51d to patch Full package profile →
vLLM pip No patch
84.6K 130 dependents Pushed 5d ago 23% patched ~51d to patch Full package profile →
vLLM pip No patch
84.6K 130 dependents Pushed 5d ago 23% patched ~51d to patch Full package profile →
vLLM pip No patch
84.6K 130 dependents Pushed 5d ago 23% patched ~51d to patch Full package profile →
vLLM pip No patch
84.6K 130 dependents Pushed 5d ago 23% patched ~51d to patch Full package profile →
vLLM pip No patch
84.6K 130 dependents Pushed 5d ago 23% patched ~51d to patch Full package profile →
vLLM pip No patch
84.6K 130 dependents Pushed 5d ago 23% patched ~51d to patch Full package profile →
aom No patch
aom-main No patch
firefox No patch
rhai/base-image-cpu-rhel9 No patch
rhai/base-image-cuda-12.9-rhel9 No patch
rhai/base-image-cuda-13.0-rhel9 No patch
rhai/base-image-gaudi-rhel9 No patch
rhai/base-image-neuron-rhel9 No patch
rhai/base-image-rocm-6.4-rhel9 No patch
rhai/base-image-rocm-7.0-rhel9 No patch
rhai/base-image-rocm-7.1-rhel9 No patch
rhai/base-image-spyre-rhel9 No patch
rhai/base-image-tpu-rhel9 No patch
rhaii/model-opt-cuda-rhel9 No patch
rhaiis/model-opt-cuda-rhel9 No patch
rhoai/odh-automl-rhel9 No patch
rhoai/odh-autorag-rhel9 No patch
rhoai/odh-kserve-autogluon-server-rhel9 No patch
rhoai/odh-llama-stack-core-rhel9 No patch
rhoai/odh-llm-d-kv-cache-rhel9 No patch
rhoai/odh-mlserver-rhel9 No patch
rhoai/odh-spark-operator-rhel9 No patch
rhoai/odh-th06-cpu-torch210-py312-rhel9 No patch
rhoai/odh-th06-cpu-torch291-py312-rhel9 No patch
rhoai/odh-th06-cuda130-torch210-py312-rhel9 No patch
rhoai/odh-th06-cuda130-torch291-py312-rhel9 No patch
rhoai/odh-th06-rocm64-torch291-py312-rhel9 No patch
rhoai/odh-trustyai-garak-lls-provider-dsp-rhel9 No patch
rhoai/odh-workbench-codeserver-datascience-cpu-py312-rhel9 No patch
rhoai/odh-workbench-jupyter-datascience-cpu-py312-rhel9 No patch
rhoai/odh-workbench-jupyter-minimal-cpu-py312-rhel9 No patch
rhoai/odh-workbench-jupyter-minimal-cuda-py312-rhel9 No patch
rhoai/odh-workbench-jupyter-minimal-rocm-py312-rhel9 No patch
rhoai/odh-workbench-jupyter-pytorch-llmcompressor-cuda-py312-rhel9 No patch
thunderbird No patch

How severe is it?

CVSS 3.1
7.1 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
N/A

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC High
PR None
UI Required
S Unchanged
C Low
I High
A High

What should I do?

No patch available

Monitor for updates. Consider compensating controls or temporary mitigations.

Which compliance frameworks are affected?

Compliance analysis pending. Sign in for full compliance mapping when available.

Frequently Asked Questions

What is CVE-2026-56211?

A remote code execution vulnerability was found in libaom, the reference AV1 codec implementation. Insufficient bounds validation in the AV1 encoder's SVC (Scalable Video Coding) layer ID control allows an attacker to supply crafted video frame pixels that overlap with internal encoder layer context structures. In fork-based video processing services, an attacker can use this to hijack the cyclic refresh map pointer, brute-force the process base address via a crash oracle, and redirect control flow to achieve arbitrary command execution. Exploitation requires the target service to use libaom with SVC encoding enabled and accept attacker-supplied video frames.

Is CVE-2026-56211 actively exploited?

No confirmed active exploitation of CVE-2026-56211 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-56211?

No patch is currently available. Monitor vendor advisories for updates.

What is the CVSS score for CVE-2026-56211?

CVE-2026-56211 has a CVSS v3.1 base score of 7.1 (HIGH).

What are the technical details?

Original Advisory

A remote code execution vulnerability was found in libaom, the reference AV1 codec implementation. Insufficient bounds validation in the AV1 encoder's SVC (Scalable Video Coding) layer ID control allows an attacker to supply crafted video frame pixels that overlap with internal encoder layer context structures. In fork-based video processing services, an attacker can use this to hijack the cyclic refresh map pointer, brute-force the process base address via a crash oracle, and redirect control flow to achieve arbitrary command execution. Exploitation requires the target service to use libaom with SVC encoding enabled and accept attacker-supplied video frames.

Weaknesses (CWE)

CWE-787 — Out-of-bounds Write: The product writes data past the end, or before the beginning, of the intended buffer.

  • [Requirements] Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, many languages that perform their own memory management, such as Java and Perl, are not subject to buffer overflows. Other languages, such as Ada and C#, typically provide overflow protection, but the protection can be disabled by the programmer. Be wary that a language's interface to native code may still be subject to overflows, even if the language itself is theoretically safe.
  • [Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. Examples include the Safe C String Library (SafeStr) by Messier and Viega [REF-57], and the Strsafe.h library from Microsoft [REF-56]. These libraries provide safer versions of overflow-prone string-handling functions.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H

Timeline

Published
June 19, 2026
Last Modified
July 3, 2026
First Seen
July 3, 2026

Related Vulnerabilities