CVE-2026-33165 is a heap out-of-bounds write vulnerability classified under CWE-787 found in libde265, an open-source implementation of the H.265/HEVC video codec. The issue arises prior to version 1.0.17 when a specially crafted HEVC bitstream triggers a stale ctb_info.log2unitSize value after a Sequence Parameter Set (SPS) change. Specifically, when PicWidthInCtbsY and PicHeightInCtbsY remain constant but Log2CtbSizeY changes, the function set_SliceHeaderIndex incorrectly indexes beyond the allocated image metadata array. This results in a 2-byte write past the end of a heap allocation, confirmed by AddressSanitizer. The vulnerability does not affect confidentiality or integrity but can cause application crashes or denial of service due to heap corruption. Exploitation requires user interaction to process malicious video content, and no privileges are required. The flaw has been addressed in libde265 version 1.0.17. No public exploits have been observed in the wild, but the vulnerability poses a risk to applications that decode untrusted HEVC streams using vulnerable libde265 versions.

The primary impact of CVE-2026-33165 is denial of service caused by heap corruption leading to application crashes when processing maliciously crafted HEVC video streams. This can disrupt media playback or streaming services relying on libde265, affecting user experience and potentially causing service outages. Since the vulnerability does not compromise confidentiality or integrity, it is less likely to be exploited for data theft or code execution. However, in environments where video decoding is part of critical workflows or embedded systems, repeated crashes could degrade system reliability. The requirement for user interaction and local access limits remote exploitation, but attackers could leverage social engineering to deliver malicious video files. Organizations using libde265 in media players, streaming platforms, or video processing pipelines worldwide may face operational disruptions if unpatched.

To mitigate CVE-2026-33165, organizations should immediately update libde265 to version 1.0.17 or later, where the vulnerability is patched. For environments where immediate updating is not feasible, applying input validation or sandboxing video decoding processes can reduce risk by isolating potential crashes. Employing runtime protections such as AddressSanitizer or other memory safety tools during development and testing can help detect similar issues early. Additionally, restricting the processing of untrusted or unauthenticated HEVC streams and educating users about the risks of opening unknown video files can reduce exposure. Monitoring for unusual application crashes in media components may help detect exploitation attempts. Vendors embedding libde265 should ensure timely integration of the patched version and communicate updates to downstream users.