CVE-2026-33165

MEDIUM EPSS 13.9%
Published Mar 20, 20263mo ago · Modified Jun 17, 20261w ago
5.0 CVSS 3.1
Medium
Find Similar
Published Mar 20, 2026 3mo ago
Last Modified Jun 17, 2026 1w ago

Description

libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.17, a crafted HEVC bitstream causes an out-of-bounds heap write confirmed by AddressSanitizer. The trigger is a stale ctb_info.log2unitSize after an SPS change where PicWidthInCtbsY and PicHeightInCtbsY stay constant but Log2CtbSizeY changes, causing set_SliceHeaderIndex to index past the allocated image metadata array and write 2 bytes past the end of a heap allocation. This issue has been patched in version 1.0.17.

CVSS Details

Base Score
5.0
Exploitability
1.3
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction Required
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
13.9% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-787 Out-of-bounds Write Memory Safety

Affected Products 1

VendorProductVersionRange
strukturlibde265* <1.0.17

References 3

  • github.com https://github.com/strukturag/libde265/commit/c7891e412106130b83f8e8ea8b7f907e9449b658
    Patch
  • github.com https://github.com/strukturag/libde265/releases/tag/v1.0.17
    Release Notes
  • github.com https://github.com/strukturag/libde265/security/advisories/GHSA-653q-9f73-8hvg
    ExploitPatchVendor Advisory

Remediation

  • github.com https://github.com/strukturag/libde265/commit/c7891e412106130b83f8e8ea8b7f907e9449b658
    Patch
  • github.com https://github.com/strukturag/libde265/security/advisories/GHSA-653q-9f73-8hvg
    ExploitPatchVendor Advisory