The vulnerability resides in libde265, an open‑source implementation of the HEVC (H.265) video codec. A crafted sequence of H.265 NAL units causes the decoder function decoder_context::read_slice_NAL() to attach slice headers to a picture object that is missing an active image unit. These orphaned headers are never freed until the picture is released, which may never happen during continuous streaming. The result is an attacker‑controlled unbounded heap growth that can exhaust system memory and lead to denial of service.

The affected product is libde265 from strukturag. All releases prior to version 1.0.20 are vulnerable, including both source and binary distributions. Version 1.0.20 and later contain a patch that corrects the memory allocation logic and prevents orphaned slice header retention.

The CVSS score of 4.3 indicates low‑to‑moderate severity. Because EPSS is not available and the vulnerability is not listed in the CISA KEV catalog, the likelihood of widespread exploitation appears limited at present. An attacker must be able to deliver a malicious H.265 stream to the decoder, which could occur through a misconfigured media ingestion pipeline, a video processing service, or an embedded device that accepts external video input. Once the malicious stream is fed into the decoder, the uncontrolled memory allocation will continue until system resources are exhausted, resulting in service interruption. No code execution is possible; the impact is limited to memory exhaustion and DoS.