Description

libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.17, a crafted HEVC bitstream causes an out-of-bounds heap write confirmed by AddressSanitizer. The trigger is a stale ctb_info.log2unitSize after an SPS change where PicWidthInCtbsY and PicHeightInCtbsY stay constant but Log2CtbSizeY changes, causing set_SliceHeaderIndex to index past the allocated image metadata array and write 2 bytes past the end of a heap allocation. This issue has been patched in version 1.0.17.

INFO

Published Date :

2026-03-20T20:32:36.603Z

Last Modified :

2026-03-24T18:48:34.866Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-33165 vulnerability.

Vendors Products
Struktur
  • Libde265
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-33165.

URL Resource
https://github.com/strukturag/libde265/commit/c7891e412106130b83f8e8ea8b7f907e9449b658 cve-icon cve-icon
https://github.com/strukturag/libde265/releases/tag/v1.0.17 cve-icon cve-icon
https://github.com/strukturag/libde265/security/advisories/GHSA-653q-9f73-8hvg cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact