Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Network-delivered crafted bitstream, no auth, but requires the user to open the file (UI:R); OOB write yields integrity tampering and high availability impact with no direct confidentiality disclosure.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Lifecycle Timeline
3DescriptionCVE.org
libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.20, a crafted H.265 bitstream can cause an out-of-bounds array write in decoder_context::process_reference_picture_set() (libde265/decctx.cc:1376). The root cause is a missing aggregate bound check on predicted short-term reference picture set entries. Individual list sizes are validated, but the combined count after predicted RPS construction can exceed the 16-entry PocStFoll array, writing at index 16. Version 1.0.20 patches the issue.
AnalysisAI
Out-of-bounds write in libde265 prior to version 1.0.20 allows remote attackers to corrupt memory by tricking a user into processing a maliciously crafted H.265 bitstream. The flaw resides in the short-term reference picture set handling and can lead to denial of service or potential code execution in any application that links libde265 for HEVC decoding. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Victim must open or render an attacker-supplied H.265 bitstream (raw stream, .heic, or HEVC-encoded video) using an application built against libde265 prior to 1.0.20; UI:R in the CVSS vector confirms user interaction is required. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H) accurately reflects a client-side parsing bug: network-reachable via any application that decodes attacker-supplied HEVC content, but requires user interaction such as opening a file or visiting a page. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malicious H.265 bitstream (e.g., embedded in a .heic image or .mp4 video) where the predicted short-term reference picture set construction pushes NumDeltaPocs to 17, and delivers it via email attachment, web download, or messaging app. When the victim opens the file in a viewer that uses libde265 (directly or via libheif), the decoder writes past the 16-entry PocStFoll array, corrupting adjacent decoder state and crashing the process or potentially enabling code execution. … |
| Remediation | Vendor-released patch: libde265 1.0.20 - upgrade to this version, which adds an aggregate NumDeltaPocs > MAX_NUM_REF_PICS check in read_short_term_ref_pic_set() (commit 691f3a3c55b3d32478c4a49895dee061a282652b). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all systems using libde265 (check video applications, media servers, and codec library dependencies for versions prior to 1.0.20). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Heap-based Buffer Overflow in GitHub repository strukturag/libde265 prior to and including 1.0.8. Rated critical severit
Libde265 v1.0.14 was discovered to contain a global buffer overflow vulnerability in the read_coding_unit function at sl
Libde265 v1.0.14 was discovered to contain a heap-buffer-overflow vulnerability in the derive_combined_bipredictive_merg
Libde265 v1.0.14 was discovered to contain a heap-buffer-overflow vulnerability in the derive_spatial_luma_vector_predic
Libde265 v1.0.11 was discovered to contain a heap buffer overflow via the function derive_collocated_motion_vectors at m
Libde265 v1.0.12 was discovered to contain multiple buffer overflows via the num_tile_columns and num_tile_row parameter
Libde265 v1.0.10 was discovered to contain a heap-buffer-overflow vulnerability in the derive_spatial_luma_vector_predic
Heap Buffer Overflow vulnerability in Libde265 v1.0.15 allows attackers to crash the application via crafted payload to
Libde265 v1.0.11 was discovered to contain a segmentation violation via the function decoder_context::process_slice_segm
libde265 v1.0.10 was discovered to contain a NULL pointer dereference in the mc_chroma function at motion.cc. Rated medi
Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via put_unweighted_pred_16_fallback in fa
Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via put_epel_16_fallback in fallback-moti
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Memory Corruption
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38079