FFmpeg's RASC video decoder (decode_dlta in libavcodec/rasc.c) performs 32-bit reads and writes at the row cursor before the NEXT_LINE row-boundary check and validates the DLTA region in pixel rather than byte units, so a DLTA run on a PAL8 frame can access several bytes past the row allocation. A crafted media stream using the RASC FourCC, decoded by libavcodec, triggers a bitstream-controlled out-of-bounds heap write and adjacent out-of-bounds read, leading to memory corruption.
CVE-2026-58049
Score 8.6 from GitHub Security Advisory (severity: HIGH) published 2026-06-28. a secondary CVSS source baseline 8.6; sources differ by 0.0.
- High severity, but no confirmed exploitation yet
No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.
- CVSS v3
- 8.6
- EG Score
- 8.6(high)
- EPSS
- 12.2%
- KEV
- Not listed
Published
June 28, 2026
Last Modified
July 6, 2026
Advisory Details (3)
Auto-updated Jun 28, 2026FFmpeg - Out-of-Bounds Write in RASC Decoder decode_dlta() | Advisories | VulnCheck
https://www.vulncheck.com/advisories/ffmpeg-out-of-bounds-write-in-rasc-decoder-decode-dltaexploitarium/ffmpeg-rasc-dlta-calc-poc at main · bikini/exploitarium · GitHub
https://github.com/bikini/exploitarium/tree/main/ffmpeg-rasc-dlta-calc-pocFFmpeg/libavcodec/rasc.c at master · FFmpeg/FFmpeg · GitHub
https://github.com/FFmpeg/FFmpeg/blob/master/libavcodec/rasc.cVendor Advisories for CVE-2026-58049(1)
These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.
Weakness Classification(1)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Data Freshness Timeline
(refreshed 40× in last 7d / 52× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
- 2026-07-07 09:14 UTCEG score recompute
- 2026-07-07 09:14 UTCGHSA enrichment
- 2026-07-06 21:29 UTCEG score recompute
- 2026-07-06 21:29 UTCGHSA enrichment
- 2026-07-06 16:27 UTCEPSS rescore
- 2026-07-06 16:27 UTCEPSS rescore
- 2026-07-06 09:45 UTCEG score recompute
- 2026-07-06 09:45 UTCGHSA enrichment
- 2026-07-06 02:23 UTCEPSS rescore
- 2026-07-06 02:23 UTCEPSS rescore
- 2026-07-05 22:01 UTCEG score recompute
- 2026-07-05 22:01 UTCGHSA enrichment
- 2026-07-05 10:16 UTCEG score recompute
- 2026-07-05 10:16 UTCGHSA enrichment
- 2026-07-05 02:31 UTCEPSS rescore
- 2026-07-05 02:30 UTCEPSS rescore
- 2026-07-04 22:32 UTCEG score recompute
- 2026-07-04 22:32 UTCGHSA enrichment
- 2026-07-04 10:48 UTCEG score recompute
- 2026-07-04 10:48 UTCGHSA enrichment
- 2026-07-04 06:31 UTCEPSS rescore
- 2026-07-04 06:31 UTCEPSS rescore
- 2026-07-03 23:04 UTCEG score recompute
- 2026-07-03 23:03 UTCGHSA enrichment
- 2026-07-03 11:15 UTCEG score recompute
Show 27 moreShow fewer
- 2026-07-03 11:15 UTCGHSA enrichment
- 2026-07-02 23:29 UTCEG score recompute
- 2026-07-02 23:29 UTCGHSA enrichment
- 2026-07-02 11:46 UTCEG score recompute
- 2026-07-02 11:46 UTCGHSA enrichment
- 2026-07-02 00:02 UTCEG score recompute
- 2026-07-02 00:02 UTCGHSA enrichment
- 2026-07-01 15:07 UTCEPSS rescore
- 2026-07-01 12:18 UTCEG score recompute
- 2026-07-01 12:18 UTCGHSA enrichment
- 2026-07-01 00:34 UTCEG score recompute
- 2026-07-01 00:34 UTCGHSA enrichment
- 2026-06-30 23:22 UTCEPSS rescore
- 2026-06-30 12:50 UTCEG score recompute
- 2026-06-30 12:50 UTCGHSA enrichment
- 2026-06-30 01:06 UTCEG score recompute
- 2026-06-30 01:06 UTCGHSA enrichment
- 2026-06-29 14:06 UTCEPSS rescore
- 2026-06-29 13:22 UTCEG score recompute
- 2026-06-29 13:22 UTCGHSA enrichment
- 2026-06-29 01:38 UTCEG score recompute
- 2026-06-29 01:38 UTCGHSA enrichment
- 2026-06-28 14:07 UTCEPSS rescore
- 2026-06-28 13:54 UTCEG score recompute
- 2026-06-28 13:54 UTCGHSA enrichment
- 2026-06-28 02:10 UTCEG score recompute
- 2026-06-28 02:09 UTCMITRE cvelistV5first tracked
Related CVEs(same CWE)
Same CWE
10 shownCWE-787
- CVE-2007-0158EG 9.8CRITICAL
- CVE-2007-0899EG 9.8CRITICAL
- CVE-2011-2462EG 9.8 KEVEPSS 100%CRITICAL
- CVE-2010-20115EG 9.3CRITICAL
- CVE-2010-4398NVD 7.8EG 9.0 KEVEPSS 94%HIGH
- CVE-2010-3333NVD 7.8EG 9.0 KEVEPSS 100%HIGH
- CVE-2010-2883NVD 7.3EG 9.0 KEVEPSS 100%HIGH
- CVE-2010-1297NVD 7.8EG 9.0 KEVEPSS 100%HIGH
- CVE-2009-3953NVD 8.8EG 9.0 KEVEPSS 100%HIGH
- CVE-2009-3129NVD 7.8EG 9.0 KEVEPSS 100%HIGH
Frequently asked(5)
What is CVE-2026-58049?
When was CVE-2026-58049 disclosed?
Is CVE-2026-58049 actively exploited?
What is the CVSS score of CVE-2026-58049?
How do I remediate CVE-2026-58049?
Dependency Blast Radius
Explore the affected products and dependency analysis for CVE-2026-58049
Is Your Infrastructure Affected by CVE-2026-58049?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.