CVEs: CVE-2026-58049 (FFmpeg, CVSS 8.6), CVE-2026-58056 (RustDesk, CVSS 7.6), CVE-2026-58050 (libssh2, CVSS 7.0) | Date: June 28, 2026
FFmpeg CVE-2026-58049 — RASC Video Decoder Out-of-Bounds Write (CVSS 8.6)
Software affected: FFmpeg — the near-universal multimedia framework. RASC video decoder (libavcodec/rasc.c).
CVE: CVE-2026-58049 | CVSS 8.6 (HIGH) | CWE-787 Out-of-bounds Write. The RASC decoder’s decode_dlta function performs 32-bit reads and writes at the row cursor before the NEXT_LINE row-boundary check, and validates the DLTA region in pixels rather than bytes. On a PAL8 frame, a crafted DLTA run can write several bytes past the row allocation — a classic heap buffer overflow. Exploitable via a malicious video file.
Status: This is the second FFmpeg vulnerability this period following last week’s PixelSmash flaw. FFmpeg underpins video processing in Chrome, Firefox, VLC, OBS Studio, HandBrake, YouTube backend, and Netflix encoding — every decoder vulnerability has an enormous blast radius. No known active exploitation.
Fix: Upgrade FFmpeg to the patched version. Audit video processing pipelines that accept untrusted input — particularly user-uploaded video content.
RustDesk CVE-2026-58056 — File Transfer Session Keyboard/Mouse Injection (CVSS 7.6)
Software affected: RustDesk — open-source remote desktop application.
CVE: CVE-2026-58056 | CVSS 7.6 (HIGH) | CWE-863 Incorrect Authorization. RustDesk gates incoming control messages on per-capability flags but does not clear those flags when a session transitions between types. A peer holding only a valid FileTransfer authorization can inject keyboard and mouse input because the file transfer capability flags persist into the control channel. Someone authorized only to transfer files can silently take full remote control of the desktop.
Fix: Upgrade RustDesk. Review remote desktop access policies — do not grant file transfer access to untrusted peers. Restrict RustDesk access to authenticated and authorized users only.
libssh2 CVE-2026-58050 — Publickey Subsystem Integer Overflow (CVSS 7.0)
Software affected: libssh2 through version 1.11.1 — widely-used C library implementing the SSH2 protocol. Used by git over SSH, SFTP clients, custom SSH tools, and embedded systems.
CVE: CVE-2026-58050 | CVSS 7.0 (HIGH) | CWE-190 Integer Overflow. libssh2 reads an attacker-controlled 32-bit attribute count from a publickey-subsystem response and uses it in the allocation num_attrs * sizeof(libssh2_publickey_attribute) without bounds checking. On 32-bit platforms, the multiplication overflows to an undersized buffer, enabling a heap overflow from a malicious or compromised SSH server. This is a client-side vulnerability — a malicious SSH server can exploit any client using libssh2 to connect.
Fix: Upgrade libssh2 beyond 1.11.1. Most modern 64-bit systems are less affected by the integer overflow but should still be updated. 32-bit embedded systems and IoT devices are at highest risk.
Recommendations
- FFmpeg: Upgrade immediately — second decoder vulnerability this period. Prioritise systems processing untrusted video input.
- RustDesk: Upgrade and audit remote desktop access controls. Do not grant file transfer to untrusted peers.
- libssh2: Upgrade on all systems, prioritise 32-bit platforms. Audit all applications linking against libssh2.
References
- FFmpeg RASC Decoder Source (CVE-2026-58049)
- RustDesk Session Permission PoC (CVE-2026-58056)
- libssh2 Publickey Subsystem PoC (CVE-2026-58050)
Part of the Vulnerability Intelligence series on threat-modeling.com. Three vulnerabilities grouped. See the June 28, 2026 Vulnerability Intelligence Report for broader context.
