diff --git a/RELEASENOTES.md b/RELEASENOTES.md
index 2c5e5faa92..209263c5ba 100644
--- a/RELEASENOTES.md
+++ b/RELEASENOTES.md
@@ -81,6 +81,8 @@
         ([#9673](https://github.com/google/ExoPlayer/issues/9673)).
     *   Add basic support for WebVTT subtitles in Matroska containers
         ([#9886](https://github.com/google/ExoPlayer/issues/9886)).
+    *   Prevent `Cea708Decoder` from reading more than the declared size of a
+        service block.
 *   DRM:
     *   Remove `playbackLooper` from `DrmSessionManager.(pre)acquireSession`.
         When a `DrmSessionManager` is used by an app in a custom `MediaSource`,
diff --git a/library/extractor/src/main/java/com/google/android/exoplayer2/text/cea/Cea708Decoder.java b/library/extractor/src/main/java/com/google/android/exoplayer2/text/cea/Cea708Decoder.java
index ba167a229a..2925ae7a54 100644
--- a/library/extractor/src/main/java/com/google/android/exoplayer2/text/cea/Cea708Decoder.java
+++ b/library/extractor/src/main/java/com/google/android/exoplayer2/text/cea/Cea708Decoder.java
@@ -327,7 +327,9 @@ public final class Cea708Decoder extends CeaDecoder {
     // 8.10.4 for more details.
     boolean cuesNeedUpdate = false;
 
-    while (serviceBlockPacket.bitsLeft() > 0) {
+    int blockEndBitPosition = serviceBlockPacket.getPosition() + (blockSize * 8);
+    while (serviceBlockPacket.bitsLeft() > 0
+        && serviceBlockPacket.getPosition() < blockEndBitPosition) {
       int command = serviceBlockPacket.readBits(8);
       if (command != COMMAND_EXT1) {
         if (command <= GROUP_C0_END) {