{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33165", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T21:17:08.888Z", "datePublished": "2026-03-20T20:32:36.603Z", "dateUpdated": "2026-03-24T18:48:34.866Z"}, "containers": {"cna": {"title": "heap out-of-bounds write in libde265 1.0.16", "problemTypes": [{"descriptions": [{"cweId": "CWE-787", "lang": "en", "description": "CWE-787: Out-of-bounds Write", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/strukturag/libde265/security/advisories/GHSA-653q-9f73-8hvg", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/strukturag/libde265/security/advisories/GHSA-653q-9f73-8hvg"}, {"name": "https://github.com/strukturag/libde265/commit/c7891e412106130b83f8e8ea8b7f907e9449b658", "tags": ["x_refsource_MISC"], "url": "https://github.com/strukturag/libde265/commit/c7891e412106130b83f8e8ea8b7f907e9449b658"}, {"name": "https://github.com/strukturag/libde265/releases/tag/v1.0.17", "tags": ["x_refsource_MISC"], "url": "https://github.com/strukturag/libde265/releases/tag/v1.0.17"}], "affected": [{"vendor": "strukturag", "product": "libde265", "versions": [{"version": "< 1.0.17", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T20:32:36.603Z"}, "descriptions": [{"lang": "en", "value": "libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.17, a crafted HEVC bitstream causes an out-of-bounds heap write confirmed by AddressSanitizer. The trigger is a stale ctb_info.log2unitSize after an SPS change where PicWidthInCtbsY and PicHeightInCtbsY stay constant but Log2CtbSizeY changes, causing set_SliceHeaderIndex to index past the allocated image metadata array and write 2 bytes past the end of a heap allocation. This issue has been patched in version 1.0.17."}], "source": {"advisory": "GHSA-653q-9f73-8hvg", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T18:45:05.537736Z", "id": "CVE-2026-33165", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T18:48:34.866Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33165", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-24T18:45:05.537736Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T18:48:22.689Z"}}], "cna": {"title": "heap out-of-bounds write in libde265 1.0.16", "source": {"advisory": "GHSA-653q-9f73-8hvg", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "strukturag", "product": "libde265", "versions": [{"status": "affected", "version": "< 1.0.17"}]}], "references": [{"url": "https://github.com/strukturag/libde265/security/advisories/GHSA-653q-9f73-8hvg", "name": "https://github.com/strukturag/libde265/security/advisories/GHSA-653q-9f73-8hvg", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/strukturag/libde265/commit/c7891e412106130b83f8e8ea8b7f907e9449b658", "name": "https://github.com/strukturag/libde265/commit/c7891e412106130b83f8e8ea8b7f907e9449b658", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/strukturag/libde265/releases/tag/v1.0.17", "name": "https://github.com/strukturag/libde265/releases/tag/v1.0.17", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.17, a crafted HEVC bitstream causes an out-of-bounds heap write confirmed by AddressSanitizer. The trigger is a stale ctb_info.log2unitSize after an SPS change where PicWidthInCtbsY and PicHeightInCtbsY stay constant but Log2CtbSizeY changes, causing set_SliceHeaderIndex to index past the allocated image metadata array and write 2 bytes past the end of a heap allocation. This issue has been patched in version 1.0.17."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-787", "description": "CWE-787: Out-of-bounds Write"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T20:32:36.603Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33165", "state": "PUBLISHED", "dateUpdated": "2026-03-24T18:48:34.866Z", "dateReserved": "2026-03-17T21:17:08.888Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T20:32:36.603Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:struktur:libde265:*:*:*:*:*:*:*:*", "matchCriteriaId": "40DB036E-3A5D-4245-B887-4123769ECB8D", "versionEndExcluding": "1.0.17", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.17, a crafted HEVC bitstream causes an out-of-bounds heap write confirmed by AddressSanitizer. The trigger is a stale ctb_info.log2unitSize after an SPS change where PicWidthInCtbsY and PicHeightInCtbsY stay constant but Log2CtbSizeY changes, causing set_SliceHeaderIndex to index past the allocated image metadata array and write 2 bytes past the end of a heap allocation. This issue has been patched in version 1.0.17."}], "id": "CVE-2026-33165", "lastModified": "2026-03-23T20:09:04.893", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-20T21:17:16.453", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/strukturag/libde265/commit/c7891e412106130b83f8e8ea8b7f907e9449b658"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/strukturag/libde265/releases/tag/v1.0.17"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory", "Patch"], "url": "https://github.com/strukturag/libde265/security/advisories/GHSA-653q-9f73-8hvg"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.0.17)"}}], "enrichment": {"confidence": 94.0, "confidence_source": "matching", "scores": [{"score": 94.0, "source": "matching"}]}, "original": {"product": "libde265", "source": "cna", "vendor": "strukturag"}, "product": "libde265", "vendor": "struktur"}], "analysis": {"en": {"generated_at": "2026-03-24T04:36:47.117810+00:00", "value": {"mitigation_remediation": ["Update libde265 to version 1.0.17 or later.", "If the application must continue to process HEVC streams, restrict handling of untrusted content until the update is applied.", "Regularly review the libde265 project page and GitHub advisories for new releases."], "summary": {"action": "Immediate Patch", "impact": "Heap out\u2011of\u2011bounds write causing memory corruption"}, "threat_synthesis": {"affected_systems": "Any deployment of strukturag libde265 prior to version 1.0.17 is affected; the fix is available in 1.0.17 and newer.", "description_and_impact": "A heap out\u2011of\u2011bounds write in libde265 allows a crafted HEVC bitstream to overwrite two bytes beyond a heap allocation. The flaw occurs when the Log2CtbSizeY value changes after an SPS change while PicWidthInCtbsY and PicHeightInCtbsY remain constant, causing set_SliceHeaderIndex to index past the image\u2011metadata array. This memory corruption can lead to undefined behaviour; no evidence indicates it results in code execution. The CVSS score of 5.5 reflects moderate severity, signalling potential confidentiality, integrity, or availability impacts.", "risk_and_exploitability": "The EPSS score is below 1%, and the vulnerability is not listed in the CISA KEV catalog. Exploitation would likely require supplying a malicious HEVC stream to a vulnerable decoder\u2014an attack vector inferred from the description. No confirmed privilege escalation or remote code execution has been reported. The moderate CVSS score and low exploitation probability suggest a low to moderate overall risk."}}}}, "created": "2026-03-23T09:52:40.369203+00:00", "updated": "2026-03-25T14:34:34.754597+00:00", "vendors": ["struktur", "struktur$PRODUCT$libde265"]}