Out-of-Bounds Write Vulnerability in libde265 H.265 Video Codec
CVE-2026-49295

7.1HIGH

Key Information:

Vendor: Strukturag
Status: Libde265
Vendor: CVE Published:; 19 June 2026

What is CVE-2026-49295?

The libde265 library, an open-source implementation of the H.265 video codec, is susceptible to an out-of-bounds write vulnerability due to a missing validation check in the processing of reference picture sets. Specifically, when handling crafted H.265 bitstreams, the library can write beyond its allocated array bounds, leading to potential crashes or arbitrary code execution. This issue arises from inadequate checks on the combined count of predicted short-term reference picture set entries, allowing writes to indices that exceed the array limit. The vulnerability is resolved in version 1.0.20, where appropriate aggregate bound checks have been implemented.

Affected Version(s)

libde265 < 1.0.20

References

https://github.com/strukturag/libde265/security/advisorie...

x_refsource_CONFIRM

https://github.com/strukturag/libde265/commit/691f3a3c55b...

x_refsource_MISC

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 19, 2026
Vulnerability Reserved
May 28, 2026

CVE-2026-49295 Data

JSON

Strukturag

What is CVE-2026-49295?

Affected Version(s)

References

CVSS V3.1

Timeline