Skip to main content

Libde265 EUVDEUVD-2026-13810

| CVE-2026-33164 HIGH
Heap-based Buffer Overflow (CWE-122)
2026-03-20 GitHub_M
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:19 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
1.0.17
EUVD ID Assigned
Mar 20, 2026 - 21:00 euvd
EUVD-2026-13810
Analysis Generated
Mar 20, 2026 - 21:00 vuln.today
CVE Published
Mar 20, 2026 - 20:33 nvd
HIGH 7.5

DescriptionGitHub Advisory

libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.17, a malformed H.265 PPS NAL unit causes a segmentation fault in pic_parameter_set::set_derived_values(). This issue has been patched in version 1.0.17.

AnalysisAI

A malformed H.265 PPS (Picture Parameter Set) NAL unit in libde265 prior to version 1.0.17 triggers a segmentation fault in the pic_parameter_set::set_derived_values() function, causing denial of service. Any application using affected versions of libde265 to decode H.265 video streams is vulnerable to crash via specially crafted video files or streams. The vulnerability has been patched in version 1.0.17, and a GitHub security advisory documents the issue.

Technical ContextAI

libde265 is an open-source H.265/HEVC video codec decoder library maintained by Struktur AG. The vulnerability exists in the picture parameter set (PPS) NAL unit parsing logic, where insufficient validation of malformed PPS data leads to a heap overflow condition classified under CWE-122 (Heap-based Buffer Overflow). The PPS is a critical H.265 syntax element that defines decoding parameters for entire pictures; malformed PPS data allows an attacker to bypass bounds checking in the derived values computation routine. The affected product is identified by CPE cpe:2.3:a:strukturag:libde265:*:*:*:*:*:*:*:* for all versions prior to 1.0.17. This library is commonly embedded in media players, transcoding services, and video streaming applications.

RemediationAI

Upgrade libde265 to version 1.0.17 or later immediately. For applications embedding libde265, update the library dependency to the patched version and rebuild. If direct upgrade is not immediately feasible, implement input validation at the application layer by rejecting or sandboxing untrusted H.265 video sources, and run video decoding processes with restricted privileges and memory isolation. Consider deploying decoded video processing in containerized environments with resource limits to mitigate denial-of-service impact. Refer to the GitHub release notes at https://github.com/strukturag/libde265/releases/tag/v1.0.17 for detailed upgrade instructions.

CVE-2022-1253 CRITICAL POC
9.8 Apr 06

Heap-based Buffer Overflow in GitHub repository strukturag/libde265 prior to and including 1.0.8. Rated critical severit

CVE-2023-49468 HIGH POC
8.8 Dec 07

Libde265 v1.0.14 was discovered to contain a global buffer overflow vulnerability in the read_coding_unit function at sl

CVE-2023-49467 HIGH POC
8.8 Dec 07

Libde265 v1.0.14 was discovered to contain a heap-buffer-overflow vulnerability in the derive_combined_bipredictive_merg

CVE-2023-49465 HIGH POC
8.8 Dec 07

Libde265 v1.0.14 was discovered to contain a heap-buffer-overflow vulnerability in the derive_spatial_luma_vector_predic

CVE-2023-27103 HIGH POC
8.8 Mar 15

Libde265 v1.0.11 was discovered to contain a heap buffer overflow via the function derive_collocated_motion_vectors at m

CVE-2023-43887 HIGH POC
8.1 Nov 22

Libde265 v1.0.12 was discovered to contain multiple buffer overflows via the num_tile_columns and num_tile_row parameter

CVE-2023-25221 HIGH POC
7.8 Mar 01

Libde265 v1.0.10 was discovered to contain a heap-buffer-overflow vulnerability in the derive_spatial_luma_vector_predic

CVE-2024-38950 MEDIUM POC
6.5 Jun 26

Heap Buffer Overflow vulnerability in Libde265 v1.0.15 allows attackers to crash the application via crafted payload to

CVE-2023-27102 MEDIUM POC
6.5 Mar 15

Libde265 v1.0.11 was discovered to contain a segmentation violation via the function decoder_context::process_slice_segm

CVE-2023-24751 MEDIUM POC
6.5 Mar 01

libde265 v1.0.10 was discovered to contain a NULL pointer dereference in the mc_chroma function at motion.cc. Rated medi

CVE-2022-43253 MEDIUM POC
6.5 Nov 02

Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via put_unweighted_pred_16_fallback in fa

CVE-2022-43252 MEDIUM POC
6.5 Nov 02

Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via put_epel_16_fallback in fallback-moti

Share

EUVD-2026-13810 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy