CVE-2026-33165

Published: Mar 20, 2026 Last Modified: Mar 20, 2026
ExploitDB:
Other exploit source:
Google Dorks:
MEDIUM 5,5
Source: [email protected]
Attack Vector: local
Attack Complexity: low
Privileges Required: none
User Interaction: required
Scope: unchanged
Confidentiality: none
Integrity: none
Availability: high

Description

AI Translation Available

libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.17, a crafted HEVC bitstream causes an out-of-bounds heap write confirmed by AddressSanitizer. The trigger is a stale ctb_info.log2unitSize after an SPS change where PicWidthInCtbsY and PicHeightInCtbsY stay constant but Log2CtbSizeY changes, causing set_SliceHeaderIndex to index past the allocated image metadata array and write 2 bytes past the end of a heap allocation. This issue has been patched in version 1.0.17.

787

Out-of-bounds Write

Draft
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Integrity Availability Other
Potential Impacts:
Modify Memory Execute Unauthorized Code Or Commands Dos: Crash, Exit, Or Restart Unexpected State
Applicable Platforms
Languages: Assembly, C, C++, Memory-Unsafe
Technologies: ICS/OT
Likelihood of Exploit: High
View CWE Details
https://github.com/strukturag/libde265/commit/c7891e4121061…
https://github.com/strukturag/libde265/commit/c7891e412106130b83f8e8ea8b7f907e9…
https://github.com/strukturag/libde265/releases/tag/v1.0.17
https://github.com/strukturag/libde265/releases/tag/v1.0.17
https://github.com/strukturag/libde265/security/advisories/…
https://github.com/strukturag/libde265/security/advisories/GHSA-653q-9f73-8hvg