Vulnerability Description
libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.17, a crafted HEVC bitstream causes an out-of-bounds heap write confirmed by AddressSanitizer. The trigger is a stale ctb_info.log2unitSize after an SPS change where PicWidthInCtbsY and PicHeightInCtbsY stay constant but Log2CtbSizeY changes, causing set_SliceHeaderIndex to index past the allocated image metadata array and write 2 bytes past the end of a heap allocation. This issue has been patched in version 1.0.17.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Struktur | Libde265 | < 1.0.17 |
Related Weaknesses (CWE)
References
- https://github.com/strukturag/libde265/commit/c7891e412106130b83f8e8ea8b7f907e94Patch
- https://github.com/strukturag/libde265/releases/tag/v1.0.17Release Notes
- https://github.com/strukturag/libde265/security/advisories/GHSA-653q-9f73-8hvgExploitVendor AdvisoryPatch
FAQ
What is CVE-2026-33165?
CVE-2026-33165 is a vulnerability with a CVSS score of 5.5 (MEDIUM). libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.17, a crafted HEVC bitstream causes an out-of-bounds heap write confirmed by AddressSanitizer. The trigger is a...
How severe is CVE-2026-33165?
CVE-2026-33165 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-33165?
Check the references section above for vendor advisories and patch information. Affected products include: Struktur Libde265.