CVE-2026-33164 Overview
CVE-2026-33164 is a high-severity vulnerability affecting libde265, an open source implementation of the H.265 video codec. Prior to version 1.0.17, a malformed H.265 PPS (Picture Parameter Set) NAL unit triggers a segmentation fault in the pic_parameter_set::set_derived_values() function. This vulnerability combines CWE-122 (Heap-based Buffer Overflow) and CWE-476 (NULL Pointer Dereference), enabling attackers to cause denial of service conditions through specially crafted video files.
Critical Impact
A remote attacker can crash applications using libde265 by supplying a maliciously crafted H.265 video file, leading to denial of service. Any application that processes untrusted H.265/HEVC video content is at risk.
Affected Products
- Struktur libde265 versions prior to 1.0.17
- Applications and media players that integrate libde265 for H.265/HEVC video decoding
- Video processing pipelines and transcoding services using vulnerable libde265 versions
Discovery Timeline
- 2026-03-20 - CVE-2026-33164 published to NVD
- 2026-03-23 - Last updated in NVD database
Technical Details for CVE-2026-33164
Vulnerability Analysis
The vulnerability resides in the H.265 video codec's Picture Parameter Set (PPS) NAL unit parsing logic within libde265. When processing a malformed PPS NAL unit, the pic_parameter_set::set_derived_values() function fails to properly validate input data before dereferencing pointers or performing buffer operations. This improper validation leads to either a NULL pointer dereference (CWE-476) or heap-based buffer overflow (CWE-122), resulting in a segmentation fault that terminates the application.
The attack is network-exploitable, meaning an attacker can deliver a malicious H.265 video file through web content, email attachments, or any application that accepts and processes video streams. The vulnerability requires no authentication and no user interaction beyond opening or streaming the malicious video content.
Root Cause
The root cause stems from insufficient input validation in the PPS NAL unit handler. The pic_parameter_set::set_derived_values() function does not adequately verify that required parameters are present and within acceptable bounds before using them to calculate derived values. When a malformed PPS NAL unit contains unexpected or missing data, the function attempts to access invalid memory regions, causing the application to crash.
Attack Vector
The attack vector is network-based. An attacker crafts a malicious H.265 video file containing a specially formed PPS NAL unit designed to trigger the vulnerability. When a victim's application (media player, video editor, transcoding service, or web browser) attempts to decode this video, the pic_parameter_set::set_derived_values() function processes the malformed data and crashes.
The vulnerability manifests during the parsing phase of H.265 video decoding, specifically when the decoder processes Picture Parameter Set Network Abstraction Layer (NAL) units. The malformed PPS NAL unit causes the derived values calculation routine to access memory improperly, resulting in a segmentation fault. For detailed technical analysis of the vulnerability mechanism, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-33164
Indicators of Compromise
- Unexpected application crashes or segmentation faults during H.265 video playback or processing
- Core dump files indicating crashes in libde265-related functions, particularly pic_parameter_set::set_derived_values()
- Repeated denial of service conditions affecting media processing applications
- Suspicious H.265 video files with malformed PPS NAL units in network traffic or storage
Detection Strategies
- Monitor application crash logs for segmentation faults originating from libde265 library functions
- Implement file integrity monitoring to detect suspicious video files in upload directories
- Deploy network-based detection for malformed H.265 streams with invalid PPS NAL unit structures
- Use endpoint detection solutions to identify and alert on repeated media player crashes
Monitoring Recommendations
- Enable verbose logging for applications that process H.265/HEVC video content
- Configure alerting for abnormal crash patterns in media processing workflows
- Monitor system stability metrics on servers handling video transcoding operations
- Review audit logs for incoming video files from untrusted sources
How to Mitigate CVE-2026-33164
Immediate Actions Required
- Upgrade libde265 to version 1.0.17 or later immediately
- Audit all applications and systems that may include libde265 as a dependency
- Temporarily disable H.265/HEVC video processing if upgrading is not immediately possible
- Implement input validation to reject video files from untrusted sources until patching is complete
Patch Information
Struktur has released version 1.0.17 of libde265 which addresses this vulnerability. The patch implements proper validation of PPS NAL unit data before processing derived values, preventing the segmentation fault condition. Organizations should update to the patched version immediately.
For detailed release information, see the GitHub Release v1.0.17. Additional vulnerability details are available in the GitHub Security Advisory GHSA-wqrf-6rf5-v78r.
Workarounds
- Restrict video file uploads and processing to trusted sources only
- Implement network segmentation to isolate video processing services from critical infrastructure
- Deploy sandboxing or containerization for applications that handle untrusted video content
- Use alternative H.265 decoders that are not affected by this vulnerability until patching is possible
# Verify libde265 version and update on Debian/Ubuntu systems
dpkg -l | grep libde265
sudo apt update && sudo apt install libde265-0
# For systems using compiled versions, verify the version
libde265-dec --version
# Update to v1.0.17 or later from source if needed
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
