CVE-2026-56208 Red Hat CVE debrief

Who should care

Organizations using libaom or products that incorporate libaom, such as video transcoding services or WebRTC applications, should prioritize patching this vulnerability. Additionally, developers who work with AV1 encoding or decoding should be aware of this vulnerability and take steps to ensure that their applications are not exposed to this issue.

Technical summary

The vulnerability is caused by a flaw in the AV1 encoder's Look-Ahead Processing (LAP) mode. When g_lag_in_frames is set to 1 or higher, the first-pass stats ring buffer wrap-around guard is bypassed, resulting in a 232-byte out-of-bounds write on every encoded frame after the second. This corrupts adjacent heap objects, potentially allowing an attacker to cause a denial of service (process crash) or achieve code execution.

Defensive priority

High priority due to potential for code execution and denial of service

Recommended defensive actions

• Apply patches or updates to libaom to fix the vulnerability
• Review and update encoder configurations to prevent exploitation
• Monitor for suspicious activity in transcoding services or WebRTC sessions
• Implement compensating controls to limit exposure to potential attacks
• Inventory and track libaom usage in products and applications

Evidence notes

The vulnerability was found in libaom, the reference AV1 codec implementation. The flaw is in the AV1 encoder's Look-Ahead Processing (LAP) mode. The CVSS score for this vulnerability is 7.6, indicating a high severity. Defenders should verify the official CVE record and NVD details for CVE-2026-56208.

Official resources