Description
libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.17, a crafted HEVC bitstream causes an out-of-bounds heap write confirmed by AddressSanitizer. The trigger is a stale ctb_info.log2unitSize after an SPS change where PicWidthInCtbsY and PicHeightInCtbsY stay constant but Log2CtbSizeY changes, causing set_SliceHeaderIndex to index past the allocated image metadata array and write 2 bytes past the end of a heap allocation. This issue has been patched in version 1.0.17.
Published: 2026-03-20
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Heap out‑of‑bounds write causing memory corruption
Action: Immediate Patch
AI Analysis

Impact

A heap out‑of‑bounds write in libde265 allows a crafted HEVC bitstream to overwrite two bytes beyond a heap allocation. The flaw occurs when the Log2CtbSizeY value changes after an SPS change while PicWidthInCtbsY and PicHeightInCtbsY remain constant, causing set_SliceHeaderIndex to index past the image‑metadata array. This memory corruption can lead to undefined behaviour; no evidence indicates it results in code execution. The CVSS score of 5.5 reflects moderate severity, signalling potential confidentiality, integrity, or availability impacts.

Affected Systems

Any deployment of strukturag libde265 prior to version 1.0.17 is affected; the fix is available in 1.0.17 and newer.

Risk and Exploitability

The EPSS score is below 1%, and the vulnerability is not listed in the CISA KEV catalog. Exploitation would likely require supplying a malicious HEVC stream to a vulnerable decoder—an attack vector inferred from the description. No confirmed privilege escalation or remote code execution has been reported. The moderate CVSS score and low exploitation probability suggest a low to moderate overall risk.

Generated by OpenCVE AI on March 24, 2026 at 04:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update libde265 to version 1.0.17 or later.
  • If the application must continue to process HEVC streams, restrict handling of untrusted content until the update is applied.
  • Regularly review the libde265 project page and GitHub advisories for new releases.

Generated by OpenCVE AI on March 24, 2026 at 04:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:struktur:libde265:*:*:*:*:*:*:*:*

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Struktur
Struktur libde265
Vendors & Products Struktur
Struktur libde265

Fri, 20 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
Description libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.17, a crafted HEVC bitstream causes an out-of-bounds heap write confirmed by AddressSanitizer. The trigger is a stale ctb_info.log2unitSize after an SPS change where PicWidthInCtbsY and PicHeightInCtbsY stay constant but Log2CtbSizeY changes, causing set_SliceHeaderIndex to index past the allocated image metadata array and write 2 bytes past the end of a heap allocation. This issue has been patched in version 1.0.17.
Title heap out-of-bounds write in libde265 1.0.16
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Struktur Libde265
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T18:48:34.866Z

Reserved: 2026-03-17T21:17:08.888Z

Link: CVE-2026-33165

cve-icon Vulnrichment

Updated: 2026-03-24T18:48:22.689Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T21:17:16.453

Modified: 2026-03-23T20:09:04.893

Link: CVE-2026-33165

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:34:34Z

Weaknesses