CVE-2026-33164
Segmentation Fault in libde265 via Malformed H.265 PPS NAL Unit
Publication date: 2026-03-20
Last updated on: 2026-03-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| struktur | libde265 | to 1.0.17 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33164 is a high-severity vulnerability in libde265, an open source implementation of the H.265 video codec. The issue occurs in versions up to 1.0.16 and is caused by a malformed H.265 Picture Parameter Set (PPS) NAL unit that triggers a NULL pointer dereference in the function pic_parameter_set::set_derived_values(). This leads to a segmentation fault (crash) when processing such malformed input.
The vulnerability was discovered through fuzz testing (AFL++) and is related to a heap-based buffer overflow condition (CWE-122). It affects any application using libde265 for decoding H.265 video streams.
This issue has been fixed in libde265 version 1.0.17, which includes input validation improvements to prevent this crash.
How can this vulnerability impact me? :
If you use libde265 for decoding H.265 video streams in your applications (such as VLC, GStreamer, libheif, GNOME Videos, or Kodi), this vulnerability can cause your application to crash when processing specially crafted malformed H.265 input.
The segmentation fault caused by the NULL pointer dereference can lead to denial of service, interrupting normal operation and potentially affecting user experience or system stability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing if the libde265 decoder crashes when processing a malformed H.265 Picture Parameter Set (PPS) NAL unit. Specifically, running the dec265 binary with a crafted malformed PPS file (e.g., poc_pps_segv.h265) will cause a segmentation fault (exit code 139) if the vulnerable version is present.
A suggested command to detect the vulnerability is to run the dec265 decoder with a known malformed PPS file:
- dec265 poc_pps_segv.h265
If the program crashes with a segmentation fault, it indicates the presence of the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade libde265 to version 1.0.17 or later, where this vulnerability has been fixed.
Additionally, since version 1.0.17 removes autotools build scripts and requires migration to CMake, users should adapt their build process accordingly.
Avoid processing untrusted or malformed H.265 input files with vulnerable versions of libde265 to reduce the risk of crashes or exploitation.