Nixpkgs security tracker

Login with GitHub

Suggestion detail

Untriaged
Permalink CVE-2026-56208
7.6 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): High (H)
created 12 hours ago Activity log
  • Created suggestion 12 hours ago
Libaom: libaom: heap buffer overflow in av1 encoder first-pass stats buffer via lap mode

A heap buffer overflow vulnerability was found in libaom, the reference AV1 codec implementation. A flaw in the AV1 encoder's Look-Ahead Processing (LAP) mode causes the first-pass stats ring buffer wrap-around guard to be bypassed when g_lag_in_frames is set to 1 or higher. This results in a 232-byte out-of-bounds write on every encoded frame after the second, corrupting adjacent heap objects. An attacker who can influence encoder configuration in a transcoding service or WebRTC session could exploit this to cause a denial of service (process crash) or potentially achieve code execution.

Affected products

aom
firefox
thunderbird

Matching in nixpkgs

pkgs.mfaomp

Multiple Files At Once Media Player

pkgs.faust2firefox

The faust2firefox script, part of faust functional programming language for realtime audio signal processing

pkgs.firefox_decrypt

Tool to extract passwords from profiles of Mozilla Firefox and derivates

pkgs.thunderbird-cli

Low-level CLI to manage Mozilla Thunderbird email from the shell

pkgs.thunderbird-mcp

MCP server for Thunderbird - enables AI assistants to access email, contacts, and calendars

pkgs.firefox-sync-client

Commandline-utility to list/view/edit/delete entries in a firefox-sync account

pkgs.thunderbird-cli-bridge

HTTP/WebSocket bridge daemon between thunderbird-cli (or any HTTP client) and the Thunderbird-cli WebExtension. Stateless proxy, localhost-only.

pkgs.gnomeExtensions.firefox-profiles

Easily launch Firefox with your favorite profile right from the indicator menu!

  • nixos-unstable 7
    • nixpkgs-unstable 7
    • nixos-unstable-small 7
  • nixos-26.05 7
    • nixos-26.05-small 7
    • nixpkgs-26.05-darwin 7

pkgs.gnomeExtensions.firefox-pip-always-on-top

Automatically sets Picture-in-Picture windows to always be on top and visible on all workspaces

  • nixos-unstable 4
    • nixpkgs-unstable 4
    • nixos-unstable-small 4
  • nixos-26.05 4
    • nixos-26.05-small 4
    • nixpkgs-26.05-darwin 4

Package maintainers