Home

Description

A use-after-free vulnerability was found in FFmpeg's RASC video decoder. The decode_move() function initializes a read pointer into a decompressed buffer, but a subsequent reallocation of that same buffer during move-table processing leaves the pointer dangling. An attacker could exploit this by providing a specially crafted AVI file containing a malicious RASC video stream. When a user opens or plays the file, the decoder reads from freed heap memory, which could lead to a denial of service (crash).

PUBLISHED Reserved 2026-06-19 | Published 2026-06-19 | Updated 2026-06-19 | Assigner redhat




MEDIUM: 6.5CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Problem types

Use After Free

Product status

Default status
affected

Default status
unaffected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
unaffected

Default status
affected

Timeline

2026-05-02:Reported to Red Hat.
2026-05-01:Made public.

Credits

Upstream acknowledges Seung Min Shin as the original reporter.

References

access.redhat.com/security/cve/CVE-2026-12706 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2490710 (RHBZ#2490710) issue-tracking

lists.ffmpeg.org/...essage/TTRIJZA7UL6KJTEDMMBGZPLLJERJ3EFX/

patchwork.ffmpeg.org/...3.10674887811034989327@29965ddac10e/

cve.org (CVE-2026-12706)

nvd.nist.gov (CVE-2026-12706)

Download JSON