CVE-2021-30474
Description
aom_dsp/grain_table.c in libaom in AOMedia before 2021-03-30 has a use-after-free.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A use-after-free vulnerability in libaom's grain_table.c allows potential code execution when processing crafted AV1 video.
Vulnerability
The aom_dsp/grain_table.c file in libaom (the AOMedia AV1 Codec SDK) contains a use-after-free bug that was fixed before the 2021-03-30 commit 6e31957b6dc62dbc7d1bb70cd84902dd14c4bf2e [1]. Affected versions include all prior builds of libaom. The flaw occurs when the code improperly accesses memory after it has been freed, likely during operations related to film grain synthesis table handling.
Exploitation
An attacker would need to supply a specially crafted AV1 bitstream that triggers the use-after-free during decoding. No authentication or special privileges are required if the victim processes the malicious file with a vulnerable libaom version. The specific sequence involves the decoder reaching the grain table cleanup code path after freeing memory, then subsequently dereferencing the dangling pointer.
Impact
Successful exploitation could lead to arbitrary code execution, denial of service, or disclosure of memory contents [2]. The attacker could potentially achieve remote code execution on the system decoding the crafted content, with privileges equal to the process using libaom.
Mitigation
The vulnerability was fixed in the commit 6e31957b6dc62dbc7d1bb70cd84902dd14c4bf2e [1]. Users should update to libaom version 3.2.0 or later, as recommended in the Gentoo security advisory GLSA 202401-32 [2]. No known workarounds exist; updating is the only mitigation.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
6- AOMedia/libaomdescription
- osv-coords5 versionspkg:rpm/opensuse/libaom&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/libaom&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/libaom&distro=openSUSE%20Tumbleweedpkg:rpm/suse/libaom&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP2pkg:rpm/suse/libaom&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP3
< 1.0.0-lp152.3.6.1+ 4 more
- (no CPE)range: < 1.0.0-lp152.3.6.1
- (no CPE)range: < 1.0.0-3.6.1
- (no CPE)range: < 3.2.0-2.1
- (no CPE)range: < 1.0.0-3.6.1
- (no CPE)range: < 1.0.0-3.6.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- security.gentoo.org/glsa/202401-32mitrevendor-advisory
- www.debian.org/security/2023/dsa-5490mitrevendor-advisory
- lists.debian.org/debian-lts-announce/2023/09/msg00003.htmlmitremailing-list
- aomedia.googlesource.com/aom/+/6e31957b6dc62dbc7d1bb70cd84902dd14c4bf2emitre
- bugs.chromium.org/p/aomedia/issues/detailmitre
News mentions
0No linked articles in our index yet.