Executive Summary

CVE-2026-33165 is a heap out-of-bounds write vulnerability in the libde265 library, which is an open source implementation of the h.265 video codec. The issue occurs when decoding a specially crafted HEVC bitstream that causes a stale metadata value after a Sequence Parameter Set (SPS) change. Specifically, when the picture width and height in coding tree blocks remain the same but the coding tree block size parameter changes, the library incorrectly indexes beyond the allocated image metadata array, writing 2 bytes past the end of a heap allocation.

This happens because the function responsible for setting slice header indices does not properly handle changes in the CTB size parameter, leading to memory corruption. The vulnerability was confirmed by tools like AddressSanitizer and Valgrind, which detected heap-buffer-overflow errors during decoding.

The issue was fixed in libde265 version 1.0.17 by updating the conditions that trigger reallocation of the metadata array to include changes in the CTB size parameter, ensuring the array is properly resized and preventing out-of-bounds writes.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to heap memory corruption when decoding maliciously crafted HEVC video streams using vulnerable versions of libde265 (prior to 1.0.17).

In debug or AddressSanitizer builds, the corruption causes the program to abort due to assertion failures or detected heap-buffer-overflows, preventing further execution.

In release builds, the heap out-of-bounds write may silently corrupt memory, potentially leading to unpredictable behavior, crashes, or security issues such as denial of service or exploitation by attackers to execute arbitrary code.

Therefore, users decoding untrusted or malicious HEVC streams with vulnerable libde265 versions are at risk of application instability or compromise.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by reproducing the heap out-of-bounds write using a crafted HEVC bitstream that triggers the stale ctb_info.log2unitSize condition after an SPS change.

Detection involves building libde265 with AddressSanitizer (ASan) enabled and running the provided minimized proof-of-concept (PoC) bitstream (reproducer.bin) through the standalone PoC decoder (poc.c) to observe crashes or heap-buffer-overflow reports.

Valgrind can also be used to detect invalid memory writes and reads during decoding, particularly in functions related to slice segment processing and deblocking filter application.

• Build libde265 with ASan enabled.
• Compile the standalone PoC decoder (poc.c).
• Run the PoC bitstream (reproducer.bin) through the PoC decoder to trigger the vulnerability.
• Use Valgrind to monitor for invalid memory accesses during decoding.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade libde265 to version 1.0.17 or later, where the vulnerability has been patched.

This patch ensures proper reallocation of the metadata array when the CTB size parameter changes, preventing out-of-bounds heap writes.

Until the upgrade can be applied, avoid decoding untrusted or crafted HEVC bitstreams that could trigger this vulnerability.

Useful 0 Not Useful 0