Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
6DescriptionGitHub Advisory
libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.17, a malformed H.265 PPS NAL unit causes a segmentation fault in pic_parameter_set::set_derived_values(). This issue has been patched in version 1.0.17.
AnalysisAI
A malformed H.265 PPS (Picture Parameter Set) NAL unit in libde265 prior to version 1.0.17 triggers a segmentation fault in the pic_parameter_set::set_derived_values() function, causing denial of service. Any application using affected versions of libde265 to decode H.265 video streams is vulnerable to crash via specially crafted video files or streams. The vulnerability has been patched in version 1.0.17, and a GitHub security advisory documents the issue.
Technical ContextAI
libde265 is an open-source H.265/HEVC video codec decoder library maintained by Struktur AG. The vulnerability exists in the picture parameter set (PPS) NAL unit parsing logic, where insufficient validation of malformed PPS data leads to a heap overflow condition classified under CWE-122 (Heap-based Buffer Overflow). The PPS is a critical H.265 syntax element that defines decoding parameters for entire pictures; malformed PPS data allows an attacker to bypass bounds checking in the derived values computation routine. The affected product is identified by CPE cpe:2.3:a:strukturag:libde265:*:*:*:*:*:*:*:* for all versions prior to 1.0.17. This library is commonly embedded in media players, transcoding services, and video streaming applications.
RemediationAI
Upgrade libde265 to version 1.0.17 or later immediately. For applications embedding libde265, update the library dependency to the patched version and rebuild. If direct upgrade is not immediately feasible, implement input validation at the application layer by rejecting or sandboxing untrusted H.265 video sources, and run video decoding processes with restricted privileges and memory isolation. Consider deploying decoded video processing in containerized environments with resource limits to mitigate denial-of-service impact. Refer to the GitHub release notes at https://github.com/strukturag/libde265/releases/tag/v1.0.17 for detailed upgrade instructions.
Heap-based Buffer Overflow in GitHub repository strukturag/libde265 prior to and including 1.0.8. Rated critical severit
Libde265 v1.0.14 was discovered to contain a global buffer overflow vulnerability in the read_coding_unit function at sl
Libde265 v1.0.14 was discovered to contain a heap-buffer-overflow vulnerability in the derive_combined_bipredictive_merg
Libde265 v1.0.14 was discovered to contain a heap-buffer-overflow vulnerability in the derive_spatial_luma_vector_predic
Libde265 v1.0.11 was discovered to contain a heap buffer overflow via the function derive_collocated_motion_vectors at m
Libde265 v1.0.12 was discovered to contain multiple buffer overflows via the num_tile_columns and num_tile_row parameter
Libde265 v1.0.10 was discovered to contain a heap-buffer-overflow vulnerability in the derive_spatial_luma_vector_predic
Heap Buffer Overflow vulnerability in Libde265 v1.0.15 allows attackers to crash the application via crafted payload to
Libde265 v1.0.11 was discovered to contain a segmentation violation via the function decoder_context::process_slice_segm
libde265 v1.0.10 was discovered to contain a NULL pointer dereference in the mc_chroma function at motion.cc. Rated medi
Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via put_unweighted_pred_16_fallback in fa
Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via put_epel_16_fallback in fallback-moti
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13810