FKIE_CVE-2026-33165

Vulnerability from fkie_nvd - Published: 2026-03-20 21:17 - Updated: 2026-03-23 20:09
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
5.0 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
Summary
libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.17, a crafted HEVC bitstream causes an out-of-bounds heap write confirmed by AddressSanitizer. The trigger is a stale ctb_info.log2unitSize after an SPS change where PicWidthInCtbsY and PicHeightInCtbsY stay constant but Log2CtbSizeY changes, causing set_SliceHeaderIndex to index past the allocated image metadata array and write 2 bytes past the end of a heap allocation. This issue has been patched in version 1.0.17.
References
security-advisories@github.comhttps://github.com/strukturag/libde265/commit/c7891e412106130b83f8e8ea8b7f907e9449b658Patch
security-advisories@github.comhttps://github.com/strukturag/libde265/releases/tag/v1.0.17Release Notes
security-advisories@github.comhttps://github.com/strukturag/libde265/security/advisories/GHSA-653q-9f73-8hvgExploit, Vendor Advisory, Patch
Impacted products
Vendor Product Version
struktur libde265 *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:struktur:libde265:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "40DB036E-3A5D-4245-B887-4123769ECB8D",
              "versionEndExcluding": "1.0.17",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.17, a crafted HEVC bitstream causes an out-of-bounds heap write confirmed by AddressSanitizer. The trigger is a stale ctb_info.log2unitSize after an SPS change where PicWidthInCtbsY and PicHeightInCtbsY stay constant but Log2CtbSizeY changes, causing set_SliceHeaderIndex to index past the allocated image metadata array and write 2 bytes past the end of a heap allocation. This issue has been patched in version 1.0.17."
    },
    {
      "lang": "es",
      "value": "libde265 es una implementaci\u00f3n de c\u00f3digo abierto del c\u00f3dec de video h.265. Antes de la versi\u00f3n 1.0.17, un flujo de bits HEVC manipulado causa una escritura fuera de l\u00edmites en el heap confirmada por AddressSanitizer. El desencadenante es un ctb_info.log2unitSize obsoleto despu\u00e9s de un cambio de SPS donde PicWidthInCtbsY y PicHeightInCtbsY permanecen constantes pero Log2CtbSizeY cambia, lo que hace que set_SliceHeaderIndex indexe m\u00e1s all\u00e1 del array de metadatos de imagen asignado y escriba 2 bytes m\u00e1s all\u00e1 del final de una asignaci\u00f3n de heap. Este problema ha sido parcheado en la versi\u00f3n 1.0.17."
    }
  ],
  "id": "CVE-2026-33165",
  "lastModified": "2026-03-23T20:09:04.893",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 5.0,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.3,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-03-20T21:17:16.453",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/strukturag/libde265/commit/c7891e412106130b83f8e8ea8b7f907e9449b658"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/strukturag/libde265/releases/tag/v1.0.17"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory",
        "Patch"
      ],
      "url": "https://github.com/strukturag/libde265/security/advisories/GHSA-653q-9f73-8hvg"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-787"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.