Unrated severityNVD Advisory· Published Dec 2, 2021· Updated Aug 4, 2024

CVE-2020-36129

Description

AOM v2.0.1 was discovered to contain a stack buffer overflow via the component src/aom_image.c.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A stack buffer overflow in AOM v2.0.1 (libaom) via src/aom_image.c could allow remote code execution; fixed in libaom 3.2.0.

Vulnerability

A stack buffer overflow exists in the AOM (Alliance for Open Media) AV1 codec SDK, specifically in the file src/aom_image.c. The vulnerability affects AOM version 2.0.1 (also referred to as libaom 2.0.1). It arises from insufficient bounds checking when processing certain image data, leading to a stack-based buffer overflow. [1]

Exploitation

An attacker can exploit this vulnerability by providing a specially crafted AV1 bitstream or image data to an application using the vulnerable library. No authentication is required if the attacker can deliver the malicious input over a network (e.g., via a web browser or media player). The overflow occurs during image decoding, potentially allowing control of the return address or other stack variables. [1]

Impact

Successful exploitation could lead to remote code execution (RCE) with the privileges of the process using the library. The worst-case impact is arbitrary code execution, as indicated by the Gentoo advisory. [1]

Mitigation

The vulnerability is fixed in libaom version 3.2.0 and later. Users should upgrade to at least this version. There is no known workaround. The Gentoo advisory (GLSA 202401-32) recommends upgrading via emerge --sync && emerge --ask --oneshot --verbose ">=media-libs/libaom-3.2.0". [1]

References

Multiple Vulnerabilities (GLSA 202401-32) — Gentoo security

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

AOM/AOMdescription
AOM/AOMllm-fuzzy
Range: = 2.0.1
osv-coords4 versions
pkg:rpm/opensuse/libaom&distro=openSUSE%20Leap%2015.2 pkg:rpm/opensuse/libaom&distro=openSUSE%20Leap%2015.3 pkg:rpm/suse/libaom&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP2 pkg:rpm/suse/libaom&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP3
< 1.0.0-lp152.3.9.1+ 3 more
- (no CPE)range: < 1.0.0-lp152.3.9.1
- (no CPE)range: < 1.0.0-3.9.1
- (no CPE)range: < 1.0.0-3.9.1
- (no CPE)range: < 1.0.0-3.9.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

security.gentoo.org/glsa/202401-32mitrevendor-advisory
bugs.chromium.org/p/aomedia/issues/detailmitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000