CVE-2026-49295
HighCVSS 7.1Exploitation Probability (EPSS)
Low risk13th percentile — higher than 13% of all known CVEs
Summary
A vulnerability in the libde265 library (H.265 codec implementation) prior to version 1.0.20 allows an out-of-bounds array write when processing a crafted H.265 bitstream. There is a missing check on the total number of predicted short-term reference picture set entries, which can cause a write beyond the 16-element array.
Risk Assessment
An attacker can remotely cause application crashes or potentially gain unauthorized memory access, which may lead to arbitrary code execution in the context of the process using the library.
Recommendation
Immediately update the libde265 library to version 1.0.20 or later, which contains the fix for this vulnerability.
Original NVD description (English source)
libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.20, a crafted H.265 bitstream can cause an out-of-bounds array write in `decoder_context::process_reference_picture_set()` (`libde265/decctx.cc:1376`). The root cause is a missing aggregate bound check on predicted short-term reference picture set entries. Individual list sizes are validated, but the combined count after predicted RPS construction can exceed the 16-entry `PocStFoll` array, writing at index 16. Version 1.0.20 patches the issue.

