CVE-2026-58049
HighCVSS 8.6Exploitation Probability (EPSS)
Low risk12th percentile — higher than 12% of all known CVEs
Summary
In FFmpeg's RASC video decoder (decode_dlta in libavcodec/rasc.c), there is a heap out-of-bounds write vulnerability. The issue arises because 32-bit reads and writes are performed before the NEXT_LINE row-boundary check, and the DLTA region is validated in pixel rather than byte units, allowing access several bytes past the row allocation on a PAL8 frame.
Risk Assessment
A crafted media stream using the RASC FourCC, decoded by libavcodec, can trigger a bitstream-controlled out-of-bounds heap write and adjacent out-of-bounds read, leading to memory corruption. This could allow an attacker to achieve remote code execution or cause a denial of service.
Recommendation
Immediately update FFmpeg to a version containing the fix for CVE-2026-58049. Until the update is applied, avoid decoding untrusted media streams with the RASC FourCC.
Original NVD description (English source)
FFmpeg's RASC video decoder (decode_dlta in libavcodec/rasc.c) performs 32-bit reads and writes at the row cursor before the NEXT_LINE row-boundary check and validates the DLTA region in pixel rather than byte units, so a DLTA run on a PAL8 frame can access several bytes past the row allocation. A crafted media stream using the RASC FourCC, decoded by libavcodec, triggers a bitstream-controlled out-of-bounds heap write and adjacent out-of-bounds read, leading to memory corruption.

