CVE-2026-56208
CWE-122Published: June 19, 2026· Updated: Jun 25, 2026
Official Description
A heap buffer overflow vulnerability was found in libaom, the reference AV1 codec implementation. A flaw in the AV1 encoder's Look-Ahead Processing (LAP) mode causes the first-pass stats ring buffer wrap-around guard to be bypassed when g_lag_in_frames is set to 1 or higher. This results in a 232-byte out-of-bounds write on every encoded frame after the second, corrupting adjacent heap objects. An attacker who can influence encoder configuration in a transcoding service or WebRTC session could exploit this to cause a denial of service (process crash) or potentially achieve code execution.
Technical Analysis
CVE-2026-56208 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.
Exploitation does not require any privileges, though user interaction (Required) is needed, which slightly reduces the risk of mass automated attacks.
A successful exploit results in availability disruption (denial of service), with a CVSS base score of 7.6.
CVSS v3.1 Vector Breakdown
Exploit & PoC Resources
All References (4)
Quick Facts
Related CVEs (CWE-122)
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2026-56208 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts