CVE-2025-61147 identifies a vulnerability in the strukturag libde265 library, an open-source HEVC/H.265 video decoder widely used in multimedia applications and embedded systems. The flaw is a segmentation fault triggered within the decoder_context::compute_framedrop_table() function, which is responsible for managing frame drop decisions during video decoding. This segmentation fault arises due to improper memory handling, specifically a buffer overflow condition classified under CWE-120. Exploiting this vulnerability causes the application using libde265 to crash, resulting in a denial of service (DoS) condition. According to the CVSS v3.1 vector, the attack requires local access (AV:L), no privileges (PR:N), and no user interaction (UI:N), indicating that an attacker must have some level of local access to the system to trigger the fault. The impact is limited to availability (A:H) with no confidentiality or integrity loss. There are no known exploits in the wild, and no patches have been released at the time of publication. The vulnerability was reserved in late 2025 and published in early 2026. Given the nature of libde265's usage in various multimedia frameworks and embedded devices, this vulnerability could affect a broad range of systems that rely on this library for video decoding.

The primary impact of CVE-2025-61147 is denial of service due to application crashes when processing specially crafted video streams. This can disrupt media playback, streaming services, or any application relying on libde265 for HEVC decoding. For organizations, this could lead to service interruptions, degraded user experience, and potential operational downtime, especially in environments where video processing is critical such as media companies, streaming platforms, and embedded systems in consumer electronics. Since the vulnerability requires local access, remote exploitation is unlikely without prior compromise, limiting the attack surface. However, in multi-user systems or shared environments, an attacker could exploit this flaw to disrupt services or cause instability. The lack of confidentiality or integrity impact reduces the risk of data breaches or manipulation, but availability disruptions can still have significant operational and reputational consequences.

To mitigate CVE-2025-61147, organizations should first monitor for official patches or updates from the strukturag libde265 maintainers and apply them promptly once available. In the interim, consider restricting local access to systems running vulnerable versions of libde265 to trusted users only, reducing the risk of exploitation. Employ application-level sandboxing or containerization to isolate the video decoding process, limiting the impact of potential crashes. For multimedia applications, implement input validation and filtering to detect and block malformed or suspicious HEVC streams that could trigger the fault. Additionally, maintain robust monitoring and logging to detect abnormal application crashes or service disruptions indicative of exploitation attempts. Where feasible, consider alternative video decoding libraries without this vulnerability until a fix is released. Finally, ensure that system and application backups are current to facilitate rapid recovery from denial of service incidents.