CVE-2026-33165 is a heap-based out-of-bounds write vulnerability identified in the libde265 library, an open source implementation of the H.265/HEVC video codec. The vulnerability arises from improper handling of changes in the Sequence Parameter Set (SPS) during video decoding. Specifically, when the SPS changes such that PicWidthInCtbsY and PicHeightInCtbsY remain constant but Log2CtbSizeY changes, the internal variable ctb_info.log2unitSize becomes stale. This stale value leads the set_SliceHeaderIndex function to index beyond the bounds of the allocated image metadata array, resulting in a write of 2 bytes past the end of a heap allocation. This out-of-bounds write can cause heap corruption, potentially leading to application crashes or undefined behavior. The issue was confirmed by AddressSanitizer, indicating reliable detection of the memory corruption. The vulnerability affects all libde265 versions prior to 1.0.17, where it has been patched. Exploitation requires processing a crafted HEVC bitstream, which implies that user interaction is necessary to trigger the flaw, and the attack vector is local (AV:L). There is no impact on confidentiality or integrity, but the availability of the application or system using libde265 can be disrupted. No known exploits have been reported in the wild as of the publication date.

The primary impact of CVE-2026-33165 is on the availability of applications or systems that utilize vulnerable versions of libde265 for decoding H.265 video streams. An attacker who can supply a specially crafted HEVC bitstream can cause heap corruption leading to crashes or denial of service conditions. While this does not directly compromise confidentiality or integrity, the resulting instability can disrupt media playback, streaming services, or any dependent applications, potentially affecting user experience and operational continuity. Organizations relying on libde265 in media processing pipelines, video streaming platforms, or embedded devices that decode H.265 content are at risk of service interruptions. Given the requirement for user interaction and local vector, remote exploitation is less likely unless the attacker can deliver malicious video content to users who then open or process it. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits over time.

To mitigate CVE-2026-33165, organizations should immediately update libde265 to version 1.0.17 or later, where the vulnerability is patched. For environments where immediate patching is not feasible, implement strict input validation and sandboxing of video decoding processes to limit the impact of potential crashes or memory corruption. Employ runtime protections such as AddressSanitizer or other memory safety tools during development and testing to detect similar issues early. Restrict the acceptance of untrusted or unauthenticated video streams, especially from unknown sources, to reduce exposure. Monitor application logs and crash reports for signs of heap corruption or abnormal terminations related to video decoding. Additionally, consider isolating media processing components in separate containers or virtual machines to contain any potential denial of service effects. Regularly review and update third-party libraries to ensure timely application of security patches.