CVE-2026-33164
Received Received - Intake
Segmentation Fault in libde265 via Malformed H.265 PPS NAL Unit

Publication date: 2026-03-20

Last updated on: 2026-03-23

Assigner: GitHub, Inc.

Description
libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.17, a malformed H.265 PPS NAL unit causes a segmentation fault in pic_parameter_set::set_derived_values(). This issue has been patched in version 1.0.17.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-03-23
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33164
EUVD
EUVD-2026-13810
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
struktur libde265 to 1.0.17 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33164 is a high-severity vulnerability in libde265, an open source implementation of the H.265 video codec. The issue occurs in versions up to 1.0.16 and is caused by a malformed H.265 Picture Parameter Set (PPS) NAL unit that triggers a NULL pointer dereference in the function pic_parameter_set::set_derived_values(). This leads to a segmentation fault (crash) when processing such malformed input.

The vulnerability was discovered through fuzz testing (AFL++) and is related to a heap-based buffer overflow condition (CWE-122). It affects any application using libde265 for decoding H.265 video streams.

This issue has been fixed in libde265 version 1.0.17, which includes input validation improvements to prevent this crash.

Impact Analysis

If you use libde265 for decoding H.265 video streams in your applications (such as VLC, GStreamer, libheif, GNOME Videos, or Kodi), this vulnerability can cause your application to crash when processing specially crafted malformed H.265 input.

The segmentation fault caused by the NULL pointer dereference can lead to denial of service, interrupting normal operation and potentially affecting user experience or system stability.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by testing if the libde265 decoder crashes when processing a malformed H.265 Picture Parameter Set (PPS) NAL unit. Specifically, running the dec265 binary with a crafted malformed PPS file (e.g., poc_pps_segv.h265) will cause a segmentation fault (exit code 139) if the vulnerable version is present.

A suggested command to detect the vulnerability is to run the dec265 decoder with a known malformed PPS file:

  • dec265 poc_pps_segv.h265

If the program crashes with a segmentation fault, it indicates the presence of the vulnerability.

Mitigation Strategies

The immediate mitigation step is to upgrade libde265 to version 1.0.17 or later, where this vulnerability has been fixed.

Additionally, since version 1.0.17 removes autotools build scripts and requires migration to CMake, users should adapt their build process accordingly.

Avoid processing untrusted or malformed H.265 input files with vulnerable versions of libde265 to reduce the risk of crashes or exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33164. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart