Skip to main content

libde265 EUVDEUVD-2026-38078

| CVE-2026-49337 MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-06-19 GitHub_M
4.3
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
vuln.today AI
4.3 MEDIUM

Crafted H.265 stream delivered over network (AV:N, AC:L, PR:N) requires victim decode initiation (UI:R); impact is heap exhaustion only (A:L), no confidentiality or integrity consequence.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

3
Patch available
Jun 19, 2026 - 23:17 EUVD
Source Code Evidence Fetched
Jun 19, 2026 - 20:46 vuln.today
Analysis Generated
Jun 19, 2026 - 20:46 vuln.today

DescriptionCVE.org

libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.20, a crafted sequence of H.265 NAL units causes decoder_context::read_slice_NAL() (libde265/decctx.cc:481) to attach slice headers to a finished picture object that has no active image unit, resulting in attacker-controlled unbounded heap growth. The retained headers are never freed until the picture is released, which may not happen during continuous streaming. Version 1.0.20 patches the issue.

AnalysisAI

Unbounded heap growth in libde265 prior to version 1.0.20 allows remote attackers to exhaust process memory by delivering a crafted H.265 bitstream, resulting in denial of service. The flaw in decoder_context::read_slice_NAL() (decctx.cc:481) unconditionally attaches slice segment headers to finished picture objects regardless of whether an active image unit exists; in continuous streaming contexts these headers are never freed, enabling attacker-controlled memory accumulation without bound. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Deliver crafted H.265 stream to target application
Delivery
Victim initiates HEVC decoding session
Exploit
Malformed non-first-slice NALs target finished picture object
Install
Slice headers appended to heap without active image unit
C2
Headers never freed during continuous streaming
Execute
Heap exhaustion triggers OOM-kill
Impact
Decoding service denied

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target application invoke `decoder_context::read_slice_NAL()` on an attacker-supplied H.265 bitstream containing a sequence of non-first-slice NAL units directed at a picture object in a finished state (no active image unit). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) accurately reflects a moderate-severity availability-only flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts an H.265 video file containing a sustained sequence of non-first-slice NAL units targeting a finished picture object, then delivers it to a media server or streaming application via a user-controlled upload, a malicious media URL, or an auto-playing embed. Each malformed NAL unit causes a slice header to be allocated and appended to the picture's internal list without ever being freed, progressively exhausting available heap memory. …
Remediation Upgrade libde265 to version 1.0.20, which resolves the issue via commit 683cb9fa603e35840642f98765ab95cdb71cadf9; the advisory is available at https://github.com/strukturag/libde265/security/advisories/GHSA-g5hj-rf9f-7vxm. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2022-1253 CRITICAL POC
9.8 Apr 06

Heap-based Buffer Overflow in GitHub repository strukturag/libde265 prior to and including 1.0.8. Rated critical severit

CVE-2023-49468 HIGH POC
8.8 Dec 07

Libde265 v1.0.14 was discovered to contain a global buffer overflow vulnerability in the read_coding_unit function at sl

CVE-2023-49467 HIGH POC
8.8 Dec 07

Libde265 v1.0.14 was discovered to contain a heap-buffer-overflow vulnerability in the derive_combined_bipredictive_merg

CVE-2023-49465 HIGH POC
8.8 Dec 07

Libde265 v1.0.14 was discovered to contain a heap-buffer-overflow vulnerability in the derive_spatial_luma_vector_predic

CVE-2023-27103 HIGH POC
8.8 Mar 15

Libde265 v1.0.11 was discovered to contain a heap buffer overflow via the function derive_collocated_motion_vectors at m

CVE-2023-43887 HIGH POC
8.1 Nov 22

Libde265 v1.0.12 was discovered to contain multiple buffer overflows via the num_tile_columns and num_tile_row parameter

CVE-2023-25221 HIGH POC
7.8 Mar 01

Libde265 v1.0.10 was discovered to contain a heap-buffer-overflow vulnerability in the derive_spatial_luma_vector_predic

CVE-2024-38950 MEDIUM POC
6.5 Jun 26

Heap Buffer Overflow vulnerability in Libde265 v1.0.15 allows attackers to crash the application via crafted payload to

CVE-2023-27102 MEDIUM POC
6.5 Mar 15

Libde265 v1.0.11 was discovered to contain a segmentation violation via the function decoder_context::process_slice_segm

CVE-2023-24751 MEDIUM POC
6.5 Mar 01

libde265 v1.0.10 was discovered to contain a NULL pointer dereference in the mc_chroma function at motion.cc. Rated medi

CVE-2022-43253 MEDIUM POC
6.5 Nov 02

Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via put_unweighted_pred_16_fallback in fa

CVE-2022-43252 MEDIUM POC
6.5 Nov 02

Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via put_epel_16_fallback in fallback-moti

Share

EUVD-2026-38078 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy