Description
libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.17, a malformed H.265 PPS NAL unit causes a segmentation fault in pic_parameter_set::set_derived_values(). This issue has been patched in version 1.0.17.
Published: 2026-03-20
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a NULL pointer dereference within libde265's handling of the Picture Parameter Set when processing an H.265 NAL unit. A malformed PPS NAL unit triggers a segmentation fault during the set_derived_values() call, causing the decoder process to terminate. The weakness is classified as an out‑of-bounds memory access and a null pointer dereference, consistent with the assigned CWEs. The resulting crash undermines availability of any software that relies on the library to decode video streams.

Affected Systems

All installations of strukturag's libde265 released before version 1.0.17 are affected. The library is employed in many applications that decode H.265/HEVC content, so any component embedding the vulnerable library is at risk. The advisory confirms that the issue was fixed in version 1.0.17 and subsequent releases.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity, while an EPSS score of less than 1% implies a relatively low likelihood of exploitation at present. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog. If an application decodes untrusted H.265 data, an attacker could craft a malformed PPS NAL unit to trigger the crash and cause a denial of service. The likely attack vector is inferred to be remote via externally supplied media, but explicit details are not provided in the advisory.

Generated by OpenCVE AI on March 24, 2026 at 03:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update libde265 to version 1.0.17 or later
  • If an upgrade cannot be applied immediately, block or sandbox the processing of untrusted H.265 streams until a patch is available
  • Monitor the application for segmentation faults or unexpected shutdowns that may indicate exploitation

Generated by OpenCVE AI on March 24, 2026 at 03:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476
CPEs cpe:2.3:a:struktur:libde265:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Mon, 23 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Struktur
Struktur libde265
Vendors & Products Struktur
Struktur libde265

Fri, 20 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
Description libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.17, a malformed H.265 PPS NAL unit causes a segmentation fault in pic_parameter_set::set_derived_values(). This issue has been patched in version 1.0.17.
Title NULL Pointer Dereference in libde265
Weaknesses CWE-122
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Struktur Libde265
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-23T16:50:53.124Z

Reserved: 2026-03-17T21:17:08.887Z

Link: CVE-2026-33164

cve-icon Vulnrichment

Updated: 2026-03-23T16:50:45.720Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T21:17:16.233

Modified: 2026-03-23T20:05:09.420

Link: CVE-2026-33164

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:34:33Z

Weaknesses