Memory Vulnerability in libde265 Video Codec by Struktur AG
CVE-2026-49337

4.3MEDIUM

Key Information:

Vendor: Strukturag
Status: Libde265
Vendor: CVE Published:; 19 June 2026

What is CVE-2026-49337?

The libde265 video codec prior to version 1.0.20 is vulnerable to a memory leak caused by malformed H.265 NAL unit sequences. This vulnerability allows attackers to cause the decoder to maintain slice headers for a finished picture object without an active image unit. As slice headers can accumulate, this leads to unbounded heap growth, creating potential performance issues and exhausting system memory during prolonged use or continuous streaming. Users are strongly advised to upgrade to version 1.0.20 to mitigate this vulnerability.

Affected Version(s)

libde265 < 1.0.20

References

https://github.com/strukturag/libde265/security/advisorie...

x_refsource_CONFIRM

https://github.com/strukturag/libde265/commit/683cb9fa603...

x_refsource_MISC

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 19, 2026
Vulnerability Reserved
May 29, 2026

CVE-2026-49337 Data

JSON

Strukturag

What is CVE-2026-49337?

Affected Version(s)

References

CVSS V3.1

Timeline