CVE-2021-30473
Description
aom_image.c in libaom in AOMedia before 2021-04-07 frees memory that is not located on the heap.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
libaom before 2021-04-07 contains a vulnerability in aom_image.c where memory not on the heap is freed, potentially leading to remote code execution.
Vulnerability
The vulnerability resides in aom_image.c of the libaom library (AOMedia's AV1 codec SDK) prior to commit 4efe20e99dcd9b6f8eadc8de8acc825be7416578 (2021-04-07). The code frees memory that is not located on the heap, which constitutes a memory corruption bug. All versions before this commit are affected [1].
Exploitation
An attacker can exploit this by crafting a malicious AV1 bitstream that triggers the erroneous free operation. The victim must decode the crafted stream using a vulnerable version of libaom. No authentication is required if the decoder processes user-supplied data, making the attack remotely exploitable in scenarios where untrusted media is decoded.
Impact
Successful exploitation can lead to heap corruption, which may allow an attacker to achieve arbitrary code execution or cause a denial of service. The Gentoo security advisory (GLSA 202401-32) lists remote code execution as a possible outcome among the vulnerabilities addressed [3].
Mitigation
The issue is fixed in commit 4efe20e99dcd9b6f8eadc8de8acc825be7416578 (2021-04-07) [1]. Users should upgrade to libaom version 3.2.0 or later, as recommended by the Gentoo advisory [3]. No workaround is available.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
5- AOMedia/libaomdescription
- osv-coords4 versionspkg:rpm/opensuse/libaom&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/libaom&distro=openSUSE%20Leap%2015.4pkg:rpm/suse/libaom&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP3pkg:rpm/suse/libaom&distro=SUSE%20Linux%20Enterprise%20Real%20Time%2015%20SP2
< 1.0.0-150200.3.12.1+ 3 more
- (no CPE)range: < 1.0.0-150200.3.12.1
- (no CPE)range: < 1.0.0-150200.3.12.1
- (no CPE)range: < 1.0.0-150200.3.12.1
- (no CPE)range: < 1.0.0-150200.3.12.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZXCI33HXH6YSOGC2LPE2REQLMIDH6US4/mitrevendor-advisory
- security.gentoo.org/glsa/202401-32mitrevendor-advisory
- www.debian.org/security/2023/dsa-5490mitrevendor-advisory
- lists.debian.org/debian-lts-announce/2023/09/msg00003.htmlmitremailing-list
- aomedia.googlesource.com/aom/+/4efe20e99dcd9b6f8eadc8de8acc825be7416578mitre
- bugs.chromium.org/p/aomedia/issues/detailmitre
News mentions
0No linked articles in our index yet.