Vulnerability DatabaseCVE-2026-33165
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-33165
March 20, 2026
libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.17, a crafted HEVC bitstream causes an out-of-bounds heap write confirmed by AddressSanitizer. The trigger is a stale ctb_info.log2unitSize after an SPS change where PicWidthInCtbsY and PicHeightInCtbsY stay constant but Log2CtbSizeY changes, causing set_SliceHeaderIndex to index past the allocated image metadata array and write 2 bytes past the end of a heap allocation. This issue has been patched in version 1.0.17.
Affected Packages
libde265 (CONAN):
Affected version(s) >=1.0.8 <1.0.17
Fix Suggestion:
Update to version 1.0.17
https://github.com/strukturag/libde265.git (GITHUB):
Affected version(s) >=v1.0.0 <v1.0.17
Fix Suggestion:
Update to version v1.0.17
Related Resources (3)
https://github.com/strukturag/libde265/security/advisories/GHSA-653q-9f73-8hvg
https://github.com/strukturag/libde265/releases/tag/v1.0.17
https://github.com/strukturag/libde265/commit/c7891e412106130b83f8e8ea8b7f907e9449b658
Do you need more information?
Contact Us
CVSS v4
Base Score:
6.8
Attack Vector
LOCAL
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
PASSIVE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
NONE
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
5.5
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
NONE
Integrity
NONE
Availability
HIGH
Weakness Type (CWE)
Out-of-bounds Write
CWE-787
EPSS
Base Score:
0.01