FFmpeg's RASC video decoder (decode_dlta in libavcodec/rasc.c) performs 32-bit reads and writes at the row cursor before the NEXT_LINE row-boundary check and validates the DLTA region in pixel rather than byte units, so a DLTA run on a PAL8 frame can access several bytes past the row allocation. A crafted media stream using the RASC FourCC, decoded by libavcodec, triggers a bitstream-controlled out-of-bounds heap write and adjacent out-of-bounds read, leading to memory corruption.
https://www.vulncheck.com/advisories/ffmpeg-out-of-bounds-write-in-rasc-decoder-decode-dlta
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-58049.json
https://github.com/bikini/exploitarium/tree/main/ffmpeg-rasc-dlta-calc-poc
https://github.com/FFmpeg/FFmpeg/blob/master/libavcodec/rasc.c
Published: 2026-06-28
Updated: 2026-07-15
Base Score: 9
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:C
Severity: High
Base Score: 7.6
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H
Severity: High
Base Score: 8.8
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N
Severity: High
EPSS: 0.00278