FFmpeg RASC Decoder UAF via deallocated buffer in move_table
CVE-2026-12706 Published on June 19, 2026
Ffmpeg: ffmpeg: heap use-after-free read in rasc decoder decode_move()
A use-after-free vulnerability was found in FFmpeg's RASC video decoder. The decode_move() function initializes a read pointer into a decompressed buffer, but a subsequent reallocation of that same buffer during move-table processing leaves the pointer dangling. An attacker could exploit this by providing a specially crafted AVI file containing a malicious RASC video stream. When a user opens or plays the file, the decoder reads from freed heap memory, which could lead to a denial of service (crash).
Vulnerability Analysis
CVE-2026-12706 is exploitable with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.
Timeline
Reported to Red Hat.
Made public.
Weakness Type
What is a Dangling pointer Vulnerability?
Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.
CVE-2026-12706 has been classified to as a Dangling pointer vulnerability or weakness.
Products Associated with CVE-2026-12706
stack.watch emails you whenever new vulnerabilities are published in Red Hat Enterprise Linux Ai or Red Hat Openshift Ai. Just hit a watch button to start following.
