CVE Catalog

CVE-2026-58049

HighCVSS 8.6
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.22%

12th percentile — higher than 12% of all known CVEs

Summary

In FFmpeg's RASC video decoder (decode_dlta in libavcodec/rasc.c), there is a heap out-of-bounds write vulnerability. The issue arises because 32-bit reads and writes are performed before the NEXT_LINE row-boundary check, and the DLTA region is validated in pixel rather than byte units, allowing access several bytes past the row allocation on a PAL8 frame.

Risk Assessment

A crafted media stream using the RASC FourCC, decoded by libavcodec, can trigger a bitstream-controlled out-of-bounds heap write and adjacent out-of-bounds read, leading to memory corruption. This could allow an attacker to achieve remote code execution or cause a denial of service.

Recommendation

Immediately update FFmpeg to a version containing the fix for CVE-2026-58049. Until the update is applied, avoid decoding untrusted media streams with the RASC FourCC.

Original NVD description (English source)

FFmpeg's RASC video decoder (decode_dlta in libavcodec/rasc.c) performs 32-bit reads and writes at the row cursor before the NEXT_LINE row-boundary check and validates the DLTA region in pixel rather than byte units, so a DLTA run on a PAL8 frame can access several bytes past the row allocation. A crafted media stream using the RASC FourCC, decoded by libavcodec, triggers a bitstream-controlled out-of-bounds heap write and adjacent out-of-bounds read, leading to memory corruption.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS