CVE-2025-61147
Segmentation Fault in libde265 decoder_context::compute_framedrop_table
Publication date: 2026-02-23
Last updated on: 2026-03-24
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| struktur | libde265 | to 1.0.17 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-120 | The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-61147 is a vulnerability in the libde265 library, specifically in the function decoder_context::compute_framedrop_table(). It causes a segmentation fault due to a buffer overflow or invalid memory write when processing certain HEVC video streams.
The issue arises from improper handling of input data during frame drop table computation, leading to a write memory access violation and program crash.
This vulnerability was discovered through fuzz testing and results in a denial of service by crashing the decoder when it encounters crafted or malformed input.
How can this vulnerability impact me? :
This vulnerability can cause the libde265 decoder to crash when processing specially crafted HEVC video streams, leading to a denial of service.
If you use libde265 in your software or systems for video decoding, an attacker could exploit this flaw to disrupt service or cause unexpected termination of the application.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability causes a segmentation fault in the libde265 library during decoding of crafted HEVC streams, specifically in the function decoder_context::compute_framedrop_table(). Detection can be performed by monitoring for crashes or segmentation faults in applications using libde265 when processing HEVC video streams.
Fuzz testing tools such as CodeQL and OptionFuzz were used to discover this issue, and AddressSanitizer with Clang compiler flags (-fsanitize=address -g) helped detect the invalid memory write causing the crash.
To detect this vulnerability on your system, you can run libde265 decoding commands on suspicious or untrusted HEVC video files and monitor for segmentation faults or crashes.
- Use AddressSanitizer-enabled builds of libde265 to run decoding commands and catch memory errors.
- Example command to decode a video file (replace input.hevc with your file): ./libde265_decoder input.hevc
- Monitor system logs or application output for segmentation faults or abnormal termination.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update libde265 to a version that includes the patch fixing CVE-2025-61147.
The fix involves improved input validation of integer command line parameters in the decoder, preventing invalid or out-of-range values that could trigger the segmentation fault.
- Apply the patch available at https://github.com/strukturag/libde265/commit/8b17e0930f77db07f55e0b89399a8f054ddbecf7 or upgrade to a version including this fix.
- Avoid processing untrusted or malformed HEVC streams with vulnerable versions of libde265.
- If updating immediately is not possible, consider running libde265 in a sandboxed environment to limit impact of potential crashes.