Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Network-delivered media parsed with one user action, no auth, no special prerequisites; heap OOB write makes availability High and plausibly leaks/alters memory, so C and I set to Low.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Lifecycle Timeline
3DescriptionCVE.org
libde265 is an open source implementation of the h.265 video codec. Prior to version 1.1.0, a crafted H.265 bitstream with large SPS dimensions and 16-bit bit depth causes a signed integer overflow in de265_image_get_buffer() (libde265/image.cc:128). The overflow wraps the plane allocation size to a small value (~1 KB), but the subsequent fill_image() call computes the real size using size_t, writing ~4 GB into the undersized heap buffer. Version 1.1.0 patches the issue.
AnalysisAI
Heap buffer overflow in libde265 prior to version 1.1.0 allows remote attackers to corrupt heap memory and likely achieve code execution by tricking a user into processing a crafted H.265 video stream. The flaw stems from a 32-bit signed integer overflow in plane allocation sizing that wraps to ~1 KB, after which fill_image() writes the true ~4 GB plane content into the undersized buffer. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target application to decode an attacker-supplied H.265 bitstream whose Sequence Parameter Set declares dimensions large enough that luma_height * luma_bpl (with BitDepth_Y or BitDepth_C of 16, i.e., 2 bytes per sample) exceeds INT32_MAX, triggering the 32-bit signed overflow in de265_image_get_buffer() at libde265/image.cc:128. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H (7.1 High) accurately reflects a media-parsing flaw: network-reachable via any application that decodes attacker-supplied H.265 streams, but exploitation requires user interaction (opening a file, visiting a page, previewing a thumbnail) and yields high availability impact (process crash via OOB write of ~4 GB) with at most limited integrity impact in the abstract NVD model. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts an H.265 bitstream whose SPS declares very large luma/chroma dimensions and 16-bit depth, then delivers it as an .hevc/.mp4/.heif/.heic file via email attachment, web page, messaging app, or shared folder. When the victim opens or previews the file, libde265's de265_image_get_buffer() allocates a ~1 KB plane buffer due to the 32-bit overflow, and fill_image() then writes the full multi-gigabyte plane content into that buffer, producing a heap overflow that crashes the decoder process and may be steered toward arbitrary code execution. … |
| Remediation | Upgrade libde265 to vendor-released patch version 1.1.0, which fixes the integer overflow in de265_image_get_buffer() by widening stride/height to uint32_t and casting allocation and memcpy size computations to size_t (commit https://github.com/strukturag/libde265/commit/8a1b5cf212f78e1c77cb46eb5d56e492a9336eb8; advisory https://github.com/strukturag/libde265/security/advisories/GHSA-vv8h-932h-7r86). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: identify all systems and applications using libde265 to establish risk scope within your environment. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Heap-based Buffer Overflow in GitHub repository strukturag/libde265 prior to and including 1.0.8. Rated critical severit
Libde265 v1.0.14 was discovered to contain a global buffer overflow vulnerability in the read_coding_unit function at sl
Libde265 v1.0.14 was discovered to contain a heap-buffer-overflow vulnerability in the derive_combined_bipredictive_merg
Libde265 v1.0.14 was discovered to contain a heap-buffer-overflow vulnerability in the derive_spatial_luma_vector_predic
Libde265 v1.0.11 was discovered to contain a heap buffer overflow via the function derive_collocated_motion_vectors at m
Libde265 v1.0.12 was discovered to contain multiple buffer overflows via the num_tile_columns and num_tile_row parameter
Libde265 v1.0.10 was discovered to contain a heap-buffer-overflow vulnerability in the derive_spatial_luma_vector_predic
Heap Buffer Overflow vulnerability in Libde265 v1.0.15 allows attackers to crash the application via crafted payload to
Libde265 v1.0.11 was discovered to contain a segmentation violation via the function decoder_context::process_slice_segm
libde265 v1.0.10 was discovered to contain a NULL pointer dereference in the mc_chroma function at motion.cc. Rated medi
Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via put_unweighted_pred_16_fallback in fa
Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via put_epel_16_fallback in fallback-moti
Same weakness CWE-190 – Integer Overflow or Wraparound
View allSame technique Integer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38080