Vulnerability DatabaseCVE-2026-56208
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-56208
Published:June 19, 2026
Updated:June 29, 2026
A heap buffer overflow vulnerability was found in libaom, the reference AV1 codec implementation. A flaw in the AV1 encoder's Look-Ahead Processing (LAP) mode causes the first-pass stats ring buffer wrap-around guard to be bypassed when g_lag_in_frames is set to 1 or higher. This results in a 232-byte out-of-bounds write on every encoded frame after the second, corrupting adjacent heap objects. An attacker who can influence encoder configuration in a transcoding service or WebRTC session could exploit this to cause a denial of service (process crash) or potentially achieve code execution.
Affected Packages
https://aomedia.googlesource.com/aom (SCM_GIT):
Affected version(s) >=v2.0.0 <v3.14.0
Fix Suggestion:
Update to version v3.14.0
Related Resources (5)
https://access.redhat.com/security/cve/CVE-2026-56208
https://access.redhat.com/errata/RHSA-2026:30814
https://issues.chromium.org/issues/504317456
https://aomedia.googlesource.com/aom/+/243f8ae84b
https://bugzilla.redhat.com/show_bug.cgi?id=2490799
Do you need more information?
Contact Us
CVSS v4
Base Score:
7.2
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
PASSIVE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
7.6
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
LOW
Integrity
LOW
Availability
HIGH
Weakness Type (CWE)
Heap-based Buffer Overflow
CWE-122
EPSS
Base Score:
0.27