The vulnerability arises when libde265 processes a high-dimension SPS element with a 16‑bit bit depth; a signed integer overflow in de265_image_get_buffer wraps the allocation size down to a few kilobytes, while a subsequent call to fill_image writes approximately 4 GB into the undersized heap buffer. This memory corruption can be triggered by a crafted H.265 bitstream. The likely attack vector is an attacker delivering a malicious file to the decoder, which is common for media players, streaming servers, or embedded systems. The resulting overflow allows an attacker to overwrite arbitrary memory, leading to denial of service or arbitrary code execution. This weakness is identified as CWE‑190: Integer Overflow or Wraparound.

The defect affects the open-source libde265 implementation from strukturag. Any build of the library prior to version 1.1.0 is vulnerable; the patch was incorporated in release 1.1.0. Systems that link against these older binaries or compile the library from source without the hot‑fix are at risk.

The CVSS score of 7.1 indicates high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no widespread exploitation to date. However, because the overflow can be triggered by externally supplied video content, media players, servers, or embedded devices that process H.265 streams are potential targets. If an attacker can supply a malicious stream, the overflow can overwrite heap memory, potentially granting code execution or causing a crash, depending on the host environment.