Heap Out-of-Bounds Write in FFmpeg RASC Decoder

Executive Summary

CVE-2026-58049 is a vulnerability in FFmpeg's RASC video decoder, specifically in the decode_dlta() function within libavcodec/rasc.c. The issue occurs because the decoder performs 32-bit reads and writes at the row cursor before checking the row boundary, and it validates the DLTA region in pixel units rather than byte units. This flaw allows a crafted media stream using the RASC FourCC to trigger a bitstream-controlled out-of-bounds heap write and an adjacent out-of-bounds read, leading to memory corruption.

The root cause is the lack of proper row-boundary checks before 32-bit operations in certain DLTA run types, which allows operations to exceed the allocated frame row width. This can result in overwriting adjacent memory, including callback pointers.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to memory corruption through out-of-bounds heap writes and reads when processing specially crafted media streams. The impact includes potential application crashes, denial of service, and arbitrary code execution.

An attacker can exploit this flaw to overwrite callback pointers, redirecting execution flow to malicious code. For example, a proof-of-concept exploit demonstrates redirecting a callback to launch a calculator application, showing the potential for arbitrary code execution.

Applications using the vulnerable FFmpeg RASC decoder are at risk of instability and security breaches if they process untrusted or malicious media files.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability is triggered by processing crafted media streams using the RASC FourCC in FFmpeg's RASC decoder. Detection involves identifying if your system processes such media streams and if the FFmpeg version is vulnerable (up to commit bcd2c69e087a09b07cf45c6bd2428ee1ccb2925c).

To detect exploitation attempts or presence of the vulnerability, you can monitor for crashes or memory corruption events related to FFmpeg when handling RASC-encoded media files.

Specific commands to check the FFmpeg version and identify if it is vulnerable include:

• ffmpeg -version
• Check if the version is at or before the vulnerable commit (bcd2c69e087a09b07cf45c6bd2428ee1ccb2925c).

For network detection, you can use file inspection tools to identify RASC FourCC media streams, for example using ffprobe:

• ffprobe -show_streams <media_file>

Look for streams with the RASC FourCC identifier, which indicates the vulnerable decoder might be used.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include:

• Update FFmpeg to a version that includes the patch fixing the out-of-bounds write in the RASC decoder (post commit bcd2c69e087a09b07cf45c6bd2428ee1ccb2925c).
• Avoid processing untrusted or specially crafted media streams that use the RASC FourCC format until the update is applied.
• Implement input validation or filtering to block or quarantine media files containing RASC FourCC streams from untrusted sources.
• Monitor application logs and system behavior for signs of memory corruption or crashes related to FFmpeg.

Useful 0 Not Useful 0