CVE-2026-49346
HighCVSS 7.1Exploitation Probability (EPSS)
Low risk13th percentile — higher than 13% of all known CVEs
Summary
In libde265 prior to version 1.1.0, a signed integer overflow vulnerability was found in the `de265_image_get_buffer()` function. A crafted H.265 bitstream with large SPS dimensions and 16-bit bit depth causes the plane allocation size to wrap to a small value (~1 KB), while the subsequent `fill_image()` call writes approximately 4 GB of data into the undersized heap buffer, leading to a heap buffer overflow.
Risk Assessment
An attacker can remotely cause memory corruption and potentially take control of an application using libde265, which may lead to data leakage or denial of service.
Recommendation
Immediately update libde265 to version 1.1.0 or later, which contains a fix for this vulnerability.
Original NVD description (English source)
libde265 is an open source implementation of the h.265 video codec. Prior to version 1.1.0, a crafted H.265 bitstream with large SPS dimensions and 16-bit bit depth causes a signed integer overflow in `de265_image_get_buffer()` (`libde265/image.cc:128`). The overflow wraps the plane allocation size to a small value (~1 KB), but the subsequent `fill_image()` call computes the real size using `size_t`, writing ~4 GB into the undersized heap buffer. Version 1.1.0 patches the issue.

