CVE-2026-33165

Name of the Vulnerable Software and Affected Versions libde265 versions prior to 1.0.17

Description libde265 is an open source implementation of the h.265 video codec. A crafted HEVC bitstream can cause an out-of-bounds heap write. This occurs due to a stale ctb info.log2unitSize after an SPS change where PicWidthInCtbsY and PicHeightInCtbsY remain constant, but Log2CtbSizeY changes. This leads to set SliceHeaderIndex indexing past the allocated image metadata array, resulting in a write beyond the bounds of a heap allocation.

Recommendations Update to libde265 version 1.0.17 or later.