Description
libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.20, a crafted H.265 bitstream can cause an out-of-bounds array write in `decoder_context::process_reference_picture_set()` (`libde265/decctx.cc:1376`). The root cause is a missing aggregate bound check on predicted short-term reference picture set entries. Individual list sizes are validated, but the combined count after predicted RPS construction can exceed the 16-entry `PocStFoll` array, writing at index 16. Version 1.0.20 patches the issue.
Published: 2026-06-19
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

libde265 suffers from a missing bound check on the construction of short‑term reference picture sets. A crafted H.265 bitstream can trigger an array write beyond the 16‑entry limit of the PocStFoll structure. This out‑of‑bounds write can corrupt memory, potentially causing a crash or enabling arbitrary code execution if exploited maliciously. The flaw is classified as CWE‑787, which denotes out‑of‑bounds write vulnerabilities.

Affected Systems

The issue exists in the structure decoder_context::process_reference_picture_set() in libde265. Versions prior to 1.0.20 are affected. The library is maintained by strukturag and is used in various open‑source video decoding projects. Users relying on any version older than 1.0.20 and decoding untrusted H.265 streams are affected.

Risk and Exploitability

The CVSS v3.1 score of 7.1 indicates moderate to high severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog, implying no confirmed exploitation in the wild at this time. The likely attack vector is an application that processes externally supplied H.265 bitstreams, potentially over the network or from local files. If the application bypasses normal security boundaries, an attacker could deliver the crafted stream to trigger the memory corruption.

Generated by OpenCVE AI on June 19, 2026 at 21:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade libde265 to version 1.0.20 or later, which patches the bound check issue.
  • If an upgrade is not immediately possible, isolate the decoding process in a sandboxed environment and restrict it to trusted inputs only.
  • Enable compiler security options such as stack protection and address space randomization to mitigate exploitation risks.

Generated by OpenCVE AI on June 19, 2026 at 21:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.20, a crafted H.265 bitstream can cause an out-of-bounds array write in `decoder_context::process_reference_picture_set()` (`libde265/decctx.cc:1376`). The root cause is a missing aggregate bound check on predicted short-term reference picture set entries. Individual list sizes are validated, but the combined count after predicted RPS construction can exceed the 16-entry `PocStFoll` array, writing at index 16. Version 1.0.20 patches the issue.
Title libde265 has an out-of-bounds write in process_reference_picture_set via predicted short-term RPS
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-19T20:12:41.334Z

Reserved: 2026-05-28T20:07:58.862Z

Link: CVE-2026-49295

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T21:30:17Z

Weaknesses