CVE-2023-39616 – CVE-2023-39616 is a memory corruption vulnerabi... (How to Fix)

Q: What is the severity of CVE-2023-39616?

CVE-2023-39616 has a CVSS score of 7.5 (HIGH). CVE-2023-39616 is a memory corruption vulnerability in AOMedia's AV1 video codec library (libaom) versions 3.0.0 through 3.5.0. An invalid read memory access in the assign_frame_buffer_p function allows attackers to potentially crash applications or execute arbitrary code by processing specially crafted AV1 video files. This affects any software using vulnerable libaom versions for AV1 video decoding.

📋 TL;DR

CVE-2023-39616 is a memory corruption vulnerability in AOMedia's AV1 video codec library (libaom) versions 3.0.0 through 3.5.0. An invalid read memory access in the assign_frame_buffer_p function allows attackers to potentially crash applications or execute arbitrary code by processing specially crafted AV1 video files. This affects any software using vulnerable libaom versions for AV1 video decoding.

💻 Affected Systems

Products:

AOMedia libaom library
Software using libaom for AV1 decoding (e.g., media players, browsers, video processing tools)

Versions: 3.0.0 to 3.5.0

Operating Systems: All platforms where libaom is used (Linux, Windows, macOS, etc.)

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with AV1 video processing enabled using vulnerable libaom versions.

📦 What is this software?

Aomedia by Aomedia

View all CVEs affecting Aomedia →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise if exploited in a privileged context like a media server or browser component.

🟠

Likely Case

Application crashes (denial of service) when processing malicious AV1 video content, potentially leading to service disruption.

🟢

If Mitigated

Limited impact with proper sandboxing and privilege separation, potentially only causing crashes in isolated processes.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires processing malicious AV1 video files; no public exploit code is known.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.5.1 and later

Vendor Advisory: https://aomedia.googlesource.com/aom/+/refs/tags/v3.5.1

Restart Required: Yes

Instructions:

1. Update libaom to version 3.5.1 or later. 2. Rebuild or update any software using libaom. 3. Restart affected services or applications.

🔧 Temporary Workarounds

Disable AV1 video processing

all

Temporarily disable AV1 video decoding in applications until patched.

Application-specific configuration required

🧯 If You Can't Patch

Implement strict input validation for AV1 video files
Run vulnerable software in sandboxed/isolated environments

🔍 How to Verify

Check if Vulnerable:

Check libaom version: `aomenc --version` or `aomdec --version`; if output shows 3.0.0-3.5.0, system is vulnerable.

Check Version:

aomenc --version 2>&1 | grep -i version

Verify Fix Applied:

Verify libaom version is 3.5.1 or later using the same commands.

📡 Detection & Monitoring

Log Indicators:

Application crashes or segmentation faults when processing AV1 video files
Memory access violation errors in application logs

Network Indicators:

Unusual AV1 video file transfers to systems with vulnerable libaom

SIEM Query:

Search for process crashes with libaom or AV1-related components in system/application logs.

📊 Metadata

CVE ID: CVE-2023-39616

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-119

Published: August 29, 2023

Last Updated: November 21, 2024

🔗 References

https://bugs.chromium.org/p/aomedia/issues/detail?id=3372#c3 Issue Tracking,Patch
https://bugs.chromium.org/p/aomedia/issues/detail?id=3372#c3 Issue Tracking,Patch

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-39616, you might also want to check these: