CVE-2026-58049 - FFmpeg RASC decoder DLTA row out-of-bounds write

CVE-2026-58049 - FFmpeg RASC decoder DLTA row out-of-bounds write - High - 2026-06-28

Business risk: A crafted media file can corrupt memory in services that transcode or inspect user-supplied video.

Root cause: decode_dlta performs 32-bit row cursor reads/writes before NEXT_LINE boundary checks and validates pixel counts instead of byte extents.

Affected versions

  • Vulnerable: FFmpeg/libavcodec builds containing the vulnerable RASC decode_dlta implementation.
  • Fixed / safe target: Upgrade/backport the FFmpeg fix that validates DLTA regions in bytes and checks row boundaries before 32-bit access.
  • CVSS: 8.6 (High)

Exact vulnerable code pattern

AV_WL32(dst + x, value);
x += run_pixels;
if (x >= width) { NEXT_LINE(); }

Fixed / mitigated code pattern

size_t bytes = (size_t)run_pixels * bytes_per_pixel;
if (x_bytes > row_size || bytes > row_size - x_bytes || bytes < sizeof(uint32_t)) {
    return AVERROR_INVALIDDATA;
}
AV_WL32(dst + x_bytes, value);

Step-by-step integration guide

  1. Inventory FFmpeg binaries, packages, vendored source, images, and language bindings.
  2. Upgrade or backport the RASC decoder fix.
  3. Rebuild static consumers.
  4. Add a malformed RASC DLTA regression corpus sample.
  5. Run media workers with sandboxing and memory limits.

Alternative mitigations

  • Disable the RASC decoder or reject RASC FourCC media.
  • Run FFmpeg in seccomp/AppArmor with no sensitive mounts.
  • Route user media through isolated workers.

Detection signature

rg -n "rasc|decode_dlta|libavcodec|ffmpeg|AV_CODEC_ID_RASC" . Dockerfile*

Copy-paste skill block

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

Remediate CVE-2026-58049: FFmpeg RASC decoder DLTA row out-of-bounds write.

Required output:
- A reviewer-ready PR with dependency/config/code changes, tests, and deployment notes; or
- TRIAGE.md if the affected runtime is outside this repository.

Steps:
1. Confirm exposure using the detection signature above.
2. Apply the fixed or mitigated pattern.
3. Add or run a regression test for the exploit shape.
4. Record commands, versions, and residual risk in the PR body.

Boundaries:
- Scope only CVE-2026-58049 and directly related hardening.
- Do not run destructive exploit payloads against production.
- Preserve existing behavior except for the vulnerable path.

Tags and revenue routing

  • Keywords: cve, ffmpeg, libavcodec, media-parser, memory-corruption, sellable_to_media, zero_day_gold, high
  • Affected tech stack: c/cpp
  • Revenue tags: sellable_to_media, zero_day_gold

References