Skip to main content

libde265 CVE-2026-49295

| EUVDEUVD-2026-38079 HIGH
Out-of-bounds Write (CWE-787)
2026-06-19 GitHub_M
7.1
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
vuln.today AI
7.1 HIGH

Network-delivered crafted bitstream, no auth, but requires the user to open the file (UI:R); OOB write yields integrity tampering and high availability impact with no direct confidentiality disclosure.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High

Lifecycle Timeline

3
Patch available
Jun 19, 2026 - 23:17 EUVD
Source Code Evidence Fetched
Jun 19, 2026 - 20:45 vuln.today
Analysis Generated
Jun 19, 2026 - 20:45 vuln.today

DescriptionCVE.org

libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.20, a crafted H.265 bitstream can cause an out-of-bounds array write in decoder_context::process_reference_picture_set() (libde265/decctx.cc:1376). The root cause is a missing aggregate bound check on predicted short-term reference picture set entries. Individual list sizes are validated, but the combined count after predicted RPS construction can exceed the 16-entry PocStFoll array, writing at index 16. Version 1.0.20 patches the issue.

AnalysisAI

Out-of-bounds write in libde265 prior to version 1.0.20 allows remote attackers to corrupt memory by tricking a user into processing a maliciously crafted H.265 bitstream. The flaw resides in the short-term reference picture set handling and can lead to denial of service or potential code execution in any application that links libde265 for HEVC decoding. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malformed H.265 RPS bitstream
Delivery
Deliver via .heic/.mp4 email or web link
Exploit
Victim opens file in libde265-backed viewer
Execution
Predicted RPS construction overflows NumDeltaPocs past 16
Persist
Out-of-bounds write to PocStFoll[16] corrupts decoder context
Impact
Process crash or potential code execution

Vulnerability AssessmentAI

Exploitation Victim must open or render an attacker-supplied H.265 bitstream (raw stream, .heic, or HEVC-encoded video) using an application built against libde265 prior to 1.0.20; UI:R in the CVSS vector confirms user interaction is required. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H) accurately reflects a client-side parsing bug: network-reachable via any application that decodes attacker-supplied HEVC content, but requires user interaction such as opening a file or visiting a page. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious H.265 bitstream (e.g., embedded in a .heic image or .mp4 video) where the predicted short-term reference picture set construction pushes NumDeltaPocs to 17, and delivers it via email attachment, web download, or messaging app. When the victim opens the file in a viewer that uses libde265 (directly or via libheif), the decoder writes past the 16-entry PocStFoll array, corrupting adjacent decoder state and crashing the process or potentially enabling code execution. …
Remediation Vendor-released patch: libde265 1.0.20 - upgrade to this version, which adds an aggregate NumDeltaPocs > MAX_NUM_REF_PICS check in read_short_term_ref_pic_set() (commit 691f3a3c55b3d32478c4a49895dee061a282652b). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems using libde265 (check video applications, media servers, and codec library dependencies for versions prior to 1.0.20). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2022-1253 CRITICAL POC
9.8 Apr 06

Heap-based Buffer Overflow in GitHub repository strukturag/libde265 prior to and including 1.0.8. Rated critical severit

CVE-2023-49468 HIGH POC
8.8 Dec 07

Libde265 v1.0.14 was discovered to contain a global buffer overflow vulnerability in the read_coding_unit function at sl

CVE-2023-49467 HIGH POC
8.8 Dec 07

Libde265 v1.0.14 was discovered to contain a heap-buffer-overflow vulnerability in the derive_combined_bipredictive_merg

CVE-2023-49465 HIGH POC
8.8 Dec 07

Libde265 v1.0.14 was discovered to contain a heap-buffer-overflow vulnerability in the derive_spatial_luma_vector_predic

CVE-2023-27103 HIGH POC
8.8 Mar 15

Libde265 v1.0.11 was discovered to contain a heap buffer overflow via the function derive_collocated_motion_vectors at m

CVE-2023-43887 HIGH POC
8.1 Nov 22

Libde265 v1.0.12 was discovered to contain multiple buffer overflows via the num_tile_columns and num_tile_row parameter

CVE-2023-25221 HIGH POC
7.8 Mar 01

Libde265 v1.0.10 was discovered to contain a heap-buffer-overflow vulnerability in the derive_spatial_luma_vector_predic

CVE-2024-38950 MEDIUM POC
6.5 Jun 26

Heap Buffer Overflow vulnerability in Libde265 v1.0.15 allows attackers to crash the application via crafted payload to

CVE-2023-27102 MEDIUM POC
6.5 Mar 15

Libde265 v1.0.11 was discovered to contain a segmentation violation via the function decoder_context::process_slice_segm

CVE-2023-24751 MEDIUM POC
6.5 Mar 01

libde265 v1.0.10 was discovered to contain a NULL pointer dereference in the mc_chroma function at motion.cc. Rated medi

CVE-2022-43253 MEDIUM POC
6.5 Nov 02

Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via put_unweighted_pred_16_fallback in fa

CVE-2022-43252 MEDIUM POC
6.5 Nov 02

Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via put_epel_16_fallback in fallback-moti

Share

CVE-2026-49295 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy