CVE-2021-30475
Description
aom_dsp/noise_model.c in libaom in AOMedia before 2021-03-24 has a buffer overflow.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Buffer overflow in libaom's noise model before 2021-03-24 allows RCE via crafted AV1 bitstream.
Vulnerability
A buffer overflow vulnerability exists in the aom_dsp/noise_model.c file of the libaom library, which implements the AV1 codec. The issue affects all versions of libaom prior to the commit on 2021-03-24 [1]. The overflow occurs in the noise model estimation function, which is reachable when processing specially crafted AV1 bitstreams.
Exploitation
An attacker can exploit this vulnerability by providing a malicious AV1 bitstream to an application using libaom. No authentication is required; the attack vector is network-based if the application processes untrusted input. The exact trigger conditions involve crafted parameters in the noise model data.
Impact
Successful exploitation could lead to memory corruption, potentially resulting in denial of service or remote code execution in the context of the affected application. The Gentoo security advisory classifies this as potentially leading to remote code execution [3].
Mitigation
The issue was fixed in libaom commit 12adc723acf02633595a4d8da8345742729f46c0 [1]. The fix is included in libaom version 3.2.0 and later. Users should upgrade to version 3.2.0 or newer. No known workarounds exist; the Gentoo advisory recommends upgrading to >=media-libs/libaom-3.2.0 [3].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
6- AOMedia/libaomdescription
- osv-coords5 versionspkg:rpm/opensuse/libaom&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/libaom&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/libaom&distro=openSUSE%20Tumbleweedpkg:rpm/suse/libaom&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP2pkg:rpm/suse/libaom&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP3
< 1.0.0-lp152.3.3.1+ 4 more
- (no CPE)range: < 1.0.0-lp152.3.3.1
- (no CPE)range: < 1.0.0-3.3.1
- (no CPE)range: < 3.1.2-1.2
- (no CPE)range: < 1.0.0-3.3.1
- (no CPE)range: < 1.0.0-3.3.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZXCI33HXH6YSOGC2LPE2REQLMIDH6US4/mitrevendor-advisory
- security.gentoo.org/glsa/202401-32mitrevendor-advisory
- www.debian.org/security/2023/dsa-5490mitrevendor-advisory
- lists.debian.org/debian-lts-announce/2023/09/msg00003.htmlmitremailing-list
- aomedia.googlesource.com/aom/+/12adc723acf02633595a4d8da8345742729f46c0mitre
- bugs.chromium.org/p/aomedia/issues/detailmitre
News mentions
0No linked articles in our index yet.