CVE-2020-36131
Description
AOM v2.0.1 was discovered to contain a stack buffer overflow via the component stats/rate_hist.c.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stack buffer overflow in AOM v2.0.1 stats/rate_hist.c may allow remote code execution through crafted media input.
Vulnerability
A stack buffer overflow vulnerability exists in AOM (Alliance for Open Media's AV1 Codec SDK) version 2.0.1 in the file stats/rate_hist.c. The issue is reachable when processing certain crafted input, leveraging the rate histogram stats component. Affected version: AOM v2.0.1. [1]
Exploitation
An attacker could trigger the overflow by providing a specially crafted media file (AV1 encoded stream) to an application using AOM for decoding and stats processing. No authentication is required; the attack vector is network-based via file delivery. The exact sequence for exploitation is not detailed in the references, but it relies on the vulnerable code path in the rate histogram stats. [1]
Impact
Successful exploitation could lead to remote code execution in the context of the application using the library. This fully compromises confidentiality, integrity, and availability. The vulnerability has a high severity (CVSS details not provided in the given info, but related Gentoo advisory notes "worst can lead to remote code execution"). [1]
Mitigation
The vulnerability is fixed in libaom version 3.2.0 and later. Gentoo users should upgrade media-libs/libaom to >=3.2.0. No workaround is available. The CVE is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date. [1]
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
6- AOM/AOMdescription
- osv-coords4 versionspkg:rpm/opensuse/libaom&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/libaom&distro=openSUSE%20Leap%2015.3pkg:rpm/suse/libaom&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP2pkg:rpm/suse/libaom&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP3
< 1.0.0-lp152.3.9.1+ 3 more
- (no CPE)range: < 1.0.0-lp152.3.9.1
- (no CPE)range: < 1.0.0-3.9.1
- (no CPE)range: < 1.0.0-3.9.1
- (no CPE)range: < 1.0.0-3.9.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- security.gentoo.org/glsa/202401-32mitrevendor-advisory
- www.debian.org/security/2023/dsa-5490mitrevendor-advisory
- lists.debian.org/debian-lts-announce/2023/09/msg00003.htmlmitremailing-list
- bugs.chromium.org/p/aomedia/issues/detailmitre
News mentions
0No linked articles in our index yet.