CVE-2026-12706
Ffmpeg: ffmpeg: heap use-after-free read in rasc decoder decode_move()
Description
A use-after-free vulnerability was found in FFmpeg's RASC video decoder. The decode_move() function initializes a read pointer into a decompressed buffer, but a subsequent reallocation of that same buffer during move-table processing leaves the pointer dangling. An attacker could exploit this by providing a specially crafted AVI file containing a malicious RASC video stream. When a user opens or plays the file, the decoder reads from freed heap memory, which could lead to a denial of service (crash).
INFO
Published Date :
June 19, 2026, 10:55 a.m.
Last Modified :
June 19, 2026, 11 a.m.
Remotely Exploit :
Yes !
Source :
redhat
Affected Products
The following products are affected by CVE-2026-12706
vulnerability.
Even if cvefeed.io is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | MEDIUM | 53f830b8-0a3f-465b-8143-3b8a9948e749 | ||||
| CVSS 3.1 | MEDIUM | MITRE-CVE |
Solution
- Ensure the buffer is not reallocated after pointer initialization.
- Validate input AVI files for malicious RASC streams.
- Update FFmpeg to the latest stable version.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-12706 vulnerability anywhere in the article.