# Install h26forge with Homebrew, apk

Tool for making syntactically valid but semantically spec-noncompliant videos. Version 2024-07-06 via Homebrew; verified from local package data.

## Install

```sh
sudo av install brew:h26forge
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install h26forge
```

  Evidence: local Homebrew formula metadata

### Linux

- apk (92%):

```sh
sudo apk add h26forge
```

  Evidence: Alpine Linux edge package indexes: h26forge from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz

## Package facts

- **Package key:** brew:h26forge
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/h26forge>
- **Version:** 2024-07-06
- **Source summary:** Tool for making syntactically valid but semantically spec-noncompliant videos
- **Homepage:** <https://github.com/h26forge/h26forge>
- **Repository:** <https://github.com/h26forge/h26forge>
- **Upstream docs:** <https://github.com/h26forge/h26forge#readme>
- **License:** MIT
- **Source archive:** <https://github.com/h26forge/h26forge/archive/refs/tags/2024-07-06.tar.gz>
- **Generated:** 2026-07-08T18:08:21+00:00

## Executables

- h26forge (cli)
- h26forge (alias)

## Build dependencies

- rust

## Uses from macOS

- llvm

## Install behavior

- Post-install hook: not defined
- Bottle: available on arm64_linux, arm64_monterey, arm64_sequoia, arm64_sonoma, arm64_tahoe, arm64_ventura, monterey, sonoma, ventura, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 2024-07-06
- Local data: ok
- Upstream repository: https://github.com/h26forge/h26forge
- info: No package-manager update timestamp was available.
- info: No cached GitHub release or tag data was available.
## Project history and usage

H26Forge is a research-oriented H.264 security tool for producing syntactically valid but semantically non-compliant video bitstreams. Its package-manager niche is narrow: it gives codec and vulnerability researchers a reproducible CLI for generating, mutating, and editing Annex B H.264 streams without hand-editing entropy-coded syntax elements.

### Project history

The public repository was created in February 2023, alongside the USENIX Security 2023 paper by W.R. Vasquez, Stephen Checkoway, and Hovav Shacham. The README describes the tool as infrastructure for analyzing, generating, and manipulating H.264 files, and the paper frames it as a response to the difficulty of exploring bugs in hardware-accelerated and privileged video decoders.

H26Forge evolved around three modes: random mutation of syntax elements, scripted programmatic editing, and generation of Annex B H.264 streams that can be written to files or streamed over RTP. The project documentation also records conformance work against ITU H.264 test vectors and examples for reproducing specific decoder-bug conditions.

### Adoption history

Adoption is primarily visible in security-research use rather than broad application development. The README lists vulnerabilities and fixes associated with H26Forge-generated or H26Forge-assisted test cases across FFmpeg/VLC, Apple platforms, Firefox, Pixel hardware decoding, and CoreMedia on Windows.

Its Homebrew formula made the research tool easier to install as a normal command-line package, which matters for a tool whose users may be reproducing papers, validating decoder behavior, or generating batches of proof-of-concept media on macOS.

### How it is used

Typical use starts with generating an Annex B H.264 bitstream, mutating syntax elements from an existing stream, or running a Python editing script over decoded syntax elements before re-encoding. The project points users to FFmpeg for extracting Annex B streams from MP4 input and to `config/default.json` or specialized configs for generation ranges.

### Why package nerds care

H26Forge is interesting because it packages a highly specialized academic/security artifact as a Rust CLI. Instead of being a codec, encoder, or transcoder, it deliberately creates edge-case media that remains parseable enough to exercise decoder semantics, filling a gap between fuzzers, bitstream analyzers, and multimedia test suites.

### Timeline

- 2023: Public GitHub repository created.
- 2023: USENIX Security paper described H26Forge and its decoder-vulnerability workflow.
- 2024: README trophy list included later decoder findings such as Pixel MFC and Apple CoreMedia issues.

### Related projects

- H26Forge sits near FFmpeg, ITU H.264 conformance vectors, browser and OS video decoders, and security fuzzing infrastructure. Its documentation also relates it to H.264/AVC specification work and to proof-of-concept generation for decoder CVEs.

### Sources

- <https://formulae.brew.sh/formula/h26forge>
- <https://github.com/h26forge/h26forge>
- <https://github.com/h26forge/h26forge/blob/main/docs/GETTINGSTARTED.md>
- <https://raw.githubusercontent.com/h26forge/h26forge/main/README.md>
- <https://wrv.github.io/h26forge.pdf>


## Security Notes

broad file, network, media, or database tool signal.

- **Geiger risk:** blue / medium
- broad file, network, media, or database tool signal

## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** h26forge
- **Version Scheme:** 0
- **Revision:** 0
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** stable

## Other Package-Manager Records

- apk - h26forge - 2024.07.06-r0: normalized package name match | Alpine Linux edge package indexes: h26forge from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz | Analyze, generate, and manipulate syntactically correct but semantically spec-non-compliant video files | https://github.com/h26forge/h26forge


## Related links

- [Source-control packages](https://www.automicvault.com/pkg/source-control-tools/) - Belongs to a source-control command family.
- [Secret-risk packages](https://www.automicvault.com/pkg/secret-risk-packages/) - Has protected-tool coverage, approval-gate, or non-low Geiger security signals.
- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Language runtime packages](https://www.automicvault.com/pkg/language-runtime-packages/) - Matched language runtime, compiler, or interpreter metadata.
- [rust](https://www.automicvault.com/pkg/brew/rust/) - Build dependency declared by Homebrew.
- [wuppiefuzz](https://www.automicvault.com/pkg/brew/wuppiefuzz/) - Shares av.db curated category or tags: cli, fuzzing, rust, security, security-testing.
- [ffuf](https://www.automicvault.com/pkg/brew/ffuf/) - Shares av.db curated category or tags: cli, fuzzing, security.
- [medusa](https://www.automicvault.com/pkg/brew/medusa/) - Shares av.db curated category or tags: cli, fuzzing, security, security-testing.
- [radamsa](https://www.automicvault.com/pkg/brew/radamsa/) - Shares av.db curated category or tags: cli, fuzzing, security, security-testing.
- [afl++](https://www.automicvault.com/pkg/brew/afl/) - Shares av.db curated category or tags: cli, fuzzing, security, security-testing.
- [echidna](https://www.automicvault.com/pkg/brew/echidna/) - Shares av.db curated category or tags: cli, fuzzing, security, security-testing.
- [cargo-audit](https://www.automicvault.com/pkg/brew/cargo-audit/) - Shares av.db curated category or tags: cli, rust, security.
- [cargo-cyclonedx](https://www.automicvault.com/pkg/brew/cargo-cyclonedx/) - Shares av.db curated category or tags: cli, rust, security.
- [dnsgen](https://www.automicvault.com/pkg/brew/dnsgen/) - Security-sensitive metadata or terminology overlaps. Shared terms: cli, security, security-testing, testing.

## Combined YAML source

View the package source record on GitHub. [combined/h26forge.yml](https://github.com/automic-vault/db/blob/main/combined/h26forge.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
