A high-severity vulnerability tracked as CVE-2026-58049 affects FFmpeg’s RASC video decoder in libavcodec/rasc.c, where the decode_dlta() function performs 32-bit reads and writes before enforcing a row-boundary check. The flaw is compounded by validating the DLTA region in pixel units rather than byte units, allowing a crafted media stream using the RASC FourCC to access several bytes past a PAL8 frame row allocation. Security advisories say the bug can trigger a bitstream-controlled heap out-of-bounds write and an adjacent out-of-bounds read during decoding, leading to memory corruption and potential remote exploitation.
A public proof of concept demonstrates the issue on FFmpeg upstream code and shows how DLTA run handlers can write past a 64-byte PAL8 frame row boundary. The PoC uses a custom buffer callback to place a function pointer next to the frame buffer, then overwrites the low bytes of that pointer through a crafted DLTA run to redirect execution, while AddressSanitizer reports a heap-buffer-overflow in decode_dlta(). Reported mitigations include updating FFmpeg, applying vendor patches, and moving row-boundary validation ahead of every 32-bit access with stricter checks such as ensuring cx + 4 <= w * s->bpp.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
2 events from the most recent confirmed update back to the earliest known activity.
A GitHub proof of concept was published demonstrating exploitation of the FFmpeg libavcodec RASC decoder bug on upstream master. The PoC shows how a crafted bitstream can overwrite a nearby callback pointer and redirect execution, with AddressSanitizer output confirming a heap-buffer-overflow in decode_dlta().
A high-severity vulnerability affecting FFmpeg's RASC video decoder decode_dlta() function was disclosed. The flaw allows a crafted RASC media stream to trigger a bitstream-controlled out-of-bounds heap write and adjacent out-of-bounds read during decoding, leading to memory corruption.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
3 references tracked. Mallory keeps watching after this page renders.
cvefeed.io
Open sourcegithub.com
Open sourcevulncheck.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.