CVE-2026-49295

libde265 has an out-of-bounds write in process_reference_picture_set via predicted short-term RPS

Assigner: GitHub_M
Reserved: 28.05.2026 Published: 19.06.2026 Updated: 19.06.2026

libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.20, a crafted H.265 bitstream can cause an out-of-bounds array write in decoder_context::process_reference_picture_set() (libde265/decctx.cc:1376). The root cause is a missing aggregate bound check on predicted short-term reference picture set entries. Individual list sizes are validated, but the combined count after predicted RPS construction can exceed the 16-entry PocStFoll array, writing at index 16. Version 1.0.20 patches the issue.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
CVSS Score: 7.1

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	Low
User Interaction	Required	Availability Impact	High

CVSS 3.1

Product Status

Vendor	strukturag
Product	libde265
Versions	Version < 1.0.20 is affected

Vendor

strukturag

Product

libde265

Versions

Version < 1.0.20 is affected

References

Problem Types

CWE-787: Out-of-bounds Write CWE

CVE-2026-49295 PUBLISHED

libde265 has an out-of-bounds write in process_reference_picture_set via predicted short-term RPS

Metrics

Product Status

References

Problem Types