CVE-2025-61147
Received Received - Intake
Segmentation Fault in libde265 decoder_context::compute_framedrop_table

Publication date: 2026-02-23

Last updated on: 2026-03-24

Assigner: MITRE

Description
strukturag libde265 commit d9fea9d wa discovered to contain a segmentation fault via the component decoder_context::compute_framedrop_table().
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-23
Last Modified
2026-03-24
Generated
2026-06-16
AI Q&A
2026-02-23
EPSS Evaluated
2026-06-15
NVD
CVE-2025-61147
EUVD
EUVD-2025-207620
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
struktur libde265 to 1.0.17 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-120 The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-61147 is a vulnerability in the libde265 library, specifically in the function decoder_context::compute_framedrop_table(). It causes a segmentation fault due to a buffer overflow or invalid memory write when processing certain HEVC video streams.

The issue arises from improper handling of input data during frame drop table computation, leading to a write memory access violation and program crash.

This vulnerability was discovered through fuzz testing and results in a denial of service by crashing the decoder when it encounters crafted or malformed input.

Impact Analysis

This vulnerability can cause the libde265 decoder to crash when processing specially crafted HEVC video streams, leading to a denial of service.

If you use libde265 in your software or systems for video decoding, an attacker could exploit this flaw to disrupt service or cause unexpected termination of the application.

Compliance Impact

I don't know

Detection Guidance

This vulnerability causes a segmentation fault in the libde265 library during decoding of crafted HEVC streams, specifically in the function decoder_context::compute_framedrop_table(). Detection can be performed by monitoring for crashes or segmentation faults in applications using libde265 when processing HEVC video streams.

Fuzz testing tools such as CodeQL and OptionFuzz were used to discover this issue, and AddressSanitizer with Clang compiler flags (-fsanitize=address -g) helped detect the invalid memory write causing the crash.

To detect this vulnerability on your system, you can run libde265 decoding commands on suspicious or untrusted HEVC video files and monitor for segmentation faults or crashes.

  • Use AddressSanitizer-enabled builds of libde265 to run decoding commands and catch memory errors.
  • Example command to decode a video file (replace input.hevc with your file): ./libde265_decoder input.hevc
  • Monitor system logs or application output for segmentation faults or abnormal termination.
Mitigation Strategies

The primary mitigation step is to update libde265 to a version that includes the patch fixing CVE-2025-61147.

The fix involves improved input validation of integer command line parameters in the decoder, preventing invalid or out-of-range values that could trigger the segmentation fault.

  • Apply the patch available at https://github.com/strukturag/libde265/commit/8b17e0930f77db07f55e0b89399a8f054ddbecf7 or upgrade to a version including this fix.
  • Avoid processing untrusted or malformed HEVC streams with vulnerable versions of libde265.
  • If updating immediately is not possible, consider running libde265 in a sandboxed environment to limit impact of potential crashes.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-61147. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart