Skip to main content

libde265 CVE-2026-49346

| EUVDEUVD-2026-38080 HIGH
Integer Overflow or Wraparound (CWE-190)
2026-06-19 GitHub_M
7.1
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
vuln.today AI
7.6 HIGH

Network-delivered media parsed with one user action, no auth, no special prerequisites; heap OOB write makes availability High and plausibly leaks/alters memory, so C and I set to Low.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High

Lifecycle Timeline

3
Patch available
Jun 19, 2026 - 23:17 EUVD
Source Code Evidence Fetched
Jun 19, 2026 - 20:47 vuln.today
Analysis Generated
Jun 19, 2026 - 20:47 vuln.today

DescriptionCVE.org

libde265 is an open source implementation of the h.265 video codec. Prior to version 1.1.0, a crafted H.265 bitstream with large SPS dimensions and 16-bit bit depth causes a signed integer overflow in de265_image_get_buffer() (libde265/image.cc:128). The overflow wraps the plane allocation size to a small value (~1 KB), but the subsequent fill_image() call computes the real size using size_t, writing ~4 GB into the undersized heap buffer. Version 1.1.0 patches the issue.

AnalysisAI

Heap buffer overflow in libde265 prior to version 1.1.0 allows remote attackers to corrupt heap memory and likely achieve code execution by tricking a user into processing a crafted H.265 video stream. The flaw stems from a 32-bit signed integer overflow in plane allocation sizing that wraps to ~1 KB, after which fill_image() writes the true ~4 GB plane content into the undersized buffer. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft H.265 stream with oversized SPS and 16-bit depth
Delivery
Deliver via web/email/message attachment
Exploit
Victim opens file in libde265-backed app
Execution
32-bit overflow allocates ~1 KB plane buffer
Persist
fill_image() writes ~4 GB into undersized heap buffer
Impact
Heap corruption crashes process or enables code execution

Vulnerability AssessmentAI

Exploitation Exploitation requires the target application to decode an attacker-supplied H.265 bitstream whose Sequence Parameter Set declares dimensions large enough that luma_height * luma_bpl (with BitDepth_Y or BitDepth_C of 16, i.e., 2 bytes per sample) exceeds INT32_MAX, triggering the 32-bit signed overflow in de265_image_get_buffer() at libde265/image.cc:128. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H (7.1 High) accurately reflects a media-parsing flaw: network-reachable via any application that decodes attacker-supplied H.265 streams, but exploitation requires user interaction (opening a file, visiting a page, previewing a thumbnail) and yields high availability impact (process crash via OOB write of ~4 GB) with at most limited integrity impact in the abstract NVD model. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts an H.265 bitstream whose SPS declares very large luma/chroma dimensions and 16-bit depth, then delivers it as an .hevc/.mp4/.heif/.heic file via email attachment, web page, messaging app, or shared folder. When the victim opens or previews the file, libde265's de265_image_get_buffer() allocates a ~1 KB plane buffer due to the 32-bit overflow, and fill_image() then writes the full multi-gigabyte plane content into that buffer, producing a heap overflow that crashes the decoder process and may be steered toward arbitrary code execution. …
Remediation Upgrade libde265 to vendor-released patch version 1.1.0, which fixes the integer overflow in de265_image_get_buffer() by widening stride/height to uint32_t and casting allocation and memcpy size computations to size_t (commit https://github.com/strukturag/libde265/commit/8a1b5cf212f78e1c77cb46eb5d56e492a9336eb8; advisory https://github.com/strukturag/libde265/security/advisories/GHSA-vv8h-932h-7r86). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: identify all systems and applications using libde265 to establish risk scope within your environment. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2022-1253 CRITICAL POC
9.8 Apr 06

Heap-based Buffer Overflow in GitHub repository strukturag/libde265 prior to and including 1.0.8. Rated critical severit

CVE-2023-49468 HIGH POC
8.8 Dec 07

Libde265 v1.0.14 was discovered to contain a global buffer overflow vulnerability in the read_coding_unit function at sl

CVE-2023-49467 HIGH POC
8.8 Dec 07

Libde265 v1.0.14 was discovered to contain a heap-buffer-overflow vulnerability in the derive_combined_bipredictive_merg

CVE-2023-49465 HIGH POC
8.8 Dec 07

Libde265 v1.0.14 was discovered to contain a heap-buffer-overflow vulnerability in the derive_spatial_luma_vector_predic

CVE-2023-27103 HIGH POC
8.8 Mar 15

Libde265 v1.0.11 was discovered to contain a heap buffer overflow via the function derive_collocated_motion_vectors at m

CVE-2023-43887 HIGH POC
8.1 Nov 22

Libde265 v1.0.12 was discovered to contain multiple buffer overflows via the num_tile_columns and num_tile_row parameter

CVE-2023-25221 HIGH POC
7.8 Mar 01

Libde265 v1.0.10 was discovered to contain a heap-buffer-overflow vulnerability in the derive_spatial_luma_vector_predic

CVE-2024-38950 MEDIUM POC
6.5 Jun 26

Heap Buffer Overflow vulnerability in Libde265 v1.0.15 allows attackers to crash the application via crafted payload to

CVE-2023-27102 MEDIUM POC
6.5 Mar 15

Libde265 v1.0.11 was discovered to contain a segmentation violation via the function decoder_context::process_slice_segm

CVE-2023-24751 MEDIUM POC
6.5 Mar 01

libde265 v1.0.10 was discovered to contain a NULL pointer dereference in the mc_chroma function at motion.cc. Rated medi

CVE-2022-43253 MEDIUM POC
6.5 Nov 02

Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via put_unweighted_pred_16_fallback in fa

CVE-2022-43252 MEDIUM POC
6.5 Nov 02

Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via put_epel_16_fallback in fallback-moti

Share

CVE-2026-49346 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy