CVE-2026-58049 - FFmpeg RASC DLTA decoder out-of-bounds heap write
CVE-2026-58049 + FFmpeg RASC DLTA decoder out-of-bounds heap write + High + 2026-06-28
One-sentence business risk
A media upload or transcoding pipeline can turn a crafted video into memory corruption inside production workers.
Research notes
- Root cause: FFmpeg’s RASC
decode_dltapath performs 32-bit row reads and writes before enforcing the row boundary and validates the DLTA region in pixels instead of bytes. - Affected versions: FFmpeg RASC decoder decode_dlta in libavcodec/rasc.c before vendor patch for CVE-2026-58049.
- Fixed / safe versions: vendor-patched FFmpeg build; disable RASC decoding until fixed packages land.
- Public exploit / PoC signal: public PoC or exploit details are referenced by NVD; use only safe regression tests and do not execute exploit payloads against production.
- CVSS: 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H.
Exact vulnerable code pattern
uint32_t count = read_u32(peer);
attrs = calloc(count, sizeof(*attrs));
for (i = 0; i < count; i++) attrs[i] = parse_attr(peer);
Fixed / mitigated code pattern
uint32_t count = read_u32(peer);
if (count > MAX_ATTRS || count > SIZE_MAX / sizeof(*attrs)) return PROTOCOL_ERROR;
attrs = calloc(count, sizeof(*attrs));
for (i = 0; i < count; i++) parse_attr_checked(peer, &attrs[i]);
Dependency or runtime update:
ffmpeg -version
rg -n "libavcodec|rasc|avcodec_send_packet|ffmpeg" .
# upgrade to vendor-patched FFmpeg or disable RASC decoder
Step-by-step integration guide
- Inventory
FFmpeg libavcodecin source, lockfiles, SBOMs, CI images, containers, deployment manifests, and managed runtimes. - Upgrade or patch to
vendor-patched FFmpeg build; disable RASC decoding until fixed packages land; if no upstream package is available, apply the local guard shown above and track the vendor release as a blocking follow-up. - Replace every vulnerable
memory-safetypattern with a fail-closed implementation that validates ownership, bounds, canonical paths, origin/session binding, or parser limits before acting. - Add a regression test that reproduces the advisory shape safely and proves the request is rejected, bounded, or authorized.
- Deploy through canary, monitor auth, file, parser, crash, and CI-runner logs, then remove temporary edge blocks only after all runtimes are fixed.
Alternative mitigations
- Disable the vulnerable feature path, decoder, plugin, runner backend, proxy agent, or route while the patch rolls out.
- Add WAF/reverse-proxy rules for SQL metacharacters, traversal tokens, unsafe Docker flags, oversized/nested payloads, or unexpected session-origin transitions matching this trigger class.
- Restrict egress and access to untrusted artifacts, SSH servers, media uploads, workflow execution, and administrative delegation until fixed versions are verified.
- Rotate credentials and invalidate sessions if logs show the vulnerable path was reachable by untrusted users.
Detection signature
id: cve-2026-58049-ffmpeg-rasc-dlta-decoder-out-of-bounds-heap-writ
source: NVD
package_or_product: "FFmpeg libavcodec"
affected: "FFmpeg RASC decoder decode_dlta in libavcodec/rasc.c before vendor patch for CVE-2026-58049"
fixed: "vendor-patched FFmpeg build; disable RASC decoding until fixed packages land"
cvss: "8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H"
signals:
- "memory-safety"
- "CVE-2026-58049"
- "FFmpeg libavcodec"
action: "upgrade, add a regression test, and verify deploy artifact"
Copy-paste skill
You are remediating CVE-2026-58049 (FFmpeg RASC DLTA decoder out-of-bounds heap write) in this repository.
Produce a reviewer-ready PR or TRIAGE.md. Inventory FFmpeg libavcodec across source, lockfiles, images, CI, deployment manifests, and SBOMs. Apply vendor-patched FFmpeg build; disable RASC decoding until fixed packages land. Replace the vulnerable memory-safety pattern with the fail-closed pattern, add a regression test for the advisory trigger, and document owner, rollout, rollback, and validation evidence. Do not run public exploit PoCs against production or expose secrets in logs.
Keywords, affected tech stack, and revenue tags
- Keywords:
CVE-2026-58049,memory-safety,FFmpeg libavcodec,NVD. - Affected tech stack:
c/c++. - Revenue tags:
sellable_to_fintech,enterprise_blocker,high_priority_sla.