CVE-2026-56209 Affecting libaom-devel-doc package, versions <3.7.1-150400.3.12.1


Severity

Recommended
0.0
high
0
10

Based on SUSE Linux Enterprise Server security rating.

Threat Intelligence

EPSS
0.27% (19th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-SLES154-LIBAOMDEVELDOC-17949224
  • published11 Jul 2026
  • disclosed9 Jul 2026

Introduced: 9 Jul 2026

NewCVE-2026-56209  (opens in a new tab)

How to fix?

Upgrade SLES:15.4 libaom-devel-doc to version 3.7.1-150400.3.12.1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream libaom-devel-doc package and not the libaom-devel-doc package as distributed by SLES. See How to fix? for SLES:15.4 relevant fixed versions and status.

An arbitrary address write vulnerability was found in libaom, the reference AV1 codec implementation. A missing bounds check in the SVC (Scalable Video Coding) layer ID control function allows an attacker to inject an arbitrary pointer into the cyclic refresh map field via crafted image pixel values. The encoder then writes approximately 1,200 bytes at the attacker-controlled address. This is fully deterministic and does not require a separate information leak. An attacker who can supply frames to a network-facing libaom encoder with SVC enabled could exploit this for denial of service or potential code execution.

CVSS Base Scores

version 3.1