CVE Catalog

CVE-2026-49295

HighCVSS 7.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.23%

13th percentile — higher than 13% of all known CVEs

Summary

A vulnerability in the libde265 library (H.265 codec implementation) prior to version 1.0.20 allows an out-of-bounds array write when processing a crafted H.265 bitstream. There is a missing check on the total number of predicted short-term reference picture set entries, which can cause a write beyond the 16-element array.

Risk Assessment

An attacker can remotely cause application crashes or potentially gain unauthorized memory access, which may lead to arbitrary code execution in the context of the process using the library.

Recommendation

Immediately update the libde265 library to version 1.0.20 or later, which contains the fix for this vulnerability.

Original NVD description (English source)

libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.20, a crafted H.265 bitstream can cause an out-of-bounds array write in `decoder_context::process_reference_picture_set()` (`libde265/decctx.cc:1376`). The root cause is a missing aggregate bound check on predicted short-term reference picture set entries. Individual list sizes are validated, but the combined count after predicted RPS construction can exceed the 16-entry `PocStFoll` array, writing at index 16. Version 1.0.20 patches the issue.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS