CVE-2026-33165 Overview
CVE-2026-33165 is an out-of-bounds heap write vulnerability discovered in libde265, an open source implementation of the H.265 (HEVC) video codec. Prior to version 1.0.17, a specially crafted HEVC bitstream can trigger a heap buffer overflow condition that has been confirmed through AddressSanitizer testing. This memory corruption vulnerability occurs when processing malformed video content and could potentially be leveraged for denial of service attacks against applications using the vulnerable library.
Critical Impact
A malicious HEVC video file can corrupt heap memory, potentially crashing video processing applications or players that depend on libde265 for H.265 decoding.
Affected Products
- struktur libde265 versions prior to 1.0.17
Discovery Timeline
- 2026-03-20 - CVE CVE-2026-33165 published to NVD
- 2026-03-23 - Last updated in NVD database
Technical Details for CVE-2026-33165
Vulnerability Analysis
This vulnerability is classified as CWE-787 (Out-of-Bounds Write), a memory corruption issue that occurs when processing malformed HEVC video streams. The vulnerability requires local access and user interaction to exploit, as an attacker must convince a victim to open a crafted video file. The impact is primarily on availability, as successful exploitation leads to application crashes through heap corruption.
The flaw exists in the slice header processing logic where image metadata is indexed and written. When specific conditions are met during SPS (Sequence Parameter Set) changes in the video stream, the library incorrectly calculates buffer boundaries, leading to a 2-byte heap overflow.
Root Cause
The root cause involves a stale ctb_info.log2unitSize value that persists after an SPS change in the HEVC bitstream. Specifically, when PicWidthInCtbsY and PicHeightInCtbsY parameters remain constant but Log2CtbSizeY changes, the set_SliceHeaderIndex function uses outdated sizing information. This mismatch causes the function to index past the allocated image metadata array boundaries, resulting in a 2-byte write beyond the end of a heap allocation.
Attack Vector
The attack vector is local, requiring an attacker to deliver a maliciously crafted HEVC video file to a target system. Exploitation requires user interaction—specifically, the victim must open or process the malformed video using an application that relies on a vulnerable version of libde265 for H.265 decoding. This could occur through:
- Opening a malicious video file in a media player
- Processing a crafted video through transcoding software
- Rendering video content in applications embedding libde265
The vulnerability manifests in the slice header processing logic when the set_SliceHeaderIndex function operates on stale CTB (Coding Tree Block) sizing information. When an SPS change occurs with specific parameter combinations, the function calculates an incorrect index that exceeds the allocated metadata array bounds. For complete technical details, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-33165
Indicators of Compromise
- Unexpected crashes in applications using libde265 when processing video files
- AddressSanitizer or heap overflow detection alerts in development/testing environments
- Abnormal memory allocation patterns during HEVC video decoding operations
Detection Strategies
- Monitor for heap corruption crashes in video processing applications
- Implement AddressSanitizer builds for testing media handling pipelines
- Scan deployed systems for libde265 versions prior to 1.0.17
- Review application crash logs for symptoms consistent with out-of-bounds heap writes
Monitoring Recommendations
- Enable memory sanitization tools in development and staging environments
- Deploy application crash monitoring for video processing components
- Implement software composition analysis (SCA) to track libde265 versions across systems
How to Mitigate CVE-2026-33165
Immediate Actions Required
- Update libde265 to version 1.0.17 or later immediately
- Audit systems for applications that bundle or depend on libde265
- Restrict processing of untrusted HEVC video content until patched
- Consider implementing input validation for video files from untrusted sources
Patch Information
The vulnerability has been patched in libde265 version 1.0.17. Organizations should update to this version or later to remediate the vulnerability. The fix is available through the official release and the specific commit addressing this issue.
Workarounds
- Avoid processing HEVC video files from untrusted sources until the patch is applied
- Implement sandboxing or process isolation for video decoding operations
- Use alternative video codecs where feasible until libde265 can be updated
- Deploy application-level monitoring to detect and terminate processes exhibiting heap corruption symptoms
# Verify libde265 version on Linux systems
pkg-config --modversion libde265
# Or check installed package version
dpkg -l | grep libde265 # Debian/Ubuntu
rpm -qa | grep libde265 # RHEL/CentOS
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
