Out-of-Bounds Heap Write in libde265 Video Codec Implementation
CVE-2026-33165

5.5MEDIUM

Key Information:

Vendor

Strukturag

Status
Libde265
Vendor
CVE Published:
20 March 2026

What is CVE-2026-33165?

The libde265 library, an open-source implementation of the HEVC video codec, is affected by a vulnerability that allows for an out-of-bounds heap write. This occurs when a crafted HEVC bitstream is processed, exploiting a stale ctb_info.log2unitSize following an SPS (Sequence Parameter Set) change. More specifically, the issue arises when the values of PicWidthInCtbsY and PicHeightInCtbsY remain constant while Log2CtbSizeY is modified, leading to an indexing error in set_SliceHeaderIndex. This inadvertently writes two bytes past the allocated memory in the image metadata array. The vulnerability has been effectively patched in version 1.0.17 of the library.

Affected Version(s)

libde265 < 1.0.17

References

https://github.com/strukturag/libde265/security/advisorie...
x_refsource_CONFIRM
https://github.com/strukturag/libde265/commit/c7891e41210...
x_refsource_MISC
https://github.com/strukturag/libde265/releases/tag/v1.0.17
x_refsource_MISC

CVSS V3.1

Score:
5.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.