CVE-2026-49295: CWE-787: Out-of-bounds Write in strukturag libde265
libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.20, a crafted H.265 bitstream can cause an out-of-bounds array write in `decoder_context::process_reference_picture_set()` (`libde265/decctx.cc:1376`). The root cause is a missing aggregate bound check on predicted short-term reference picture set entries. Individual list sizes are validated, but the combined count after predicted RPS construction can exceed the 16-entry `PocStFoll` array, writing at index 16. Version 1.0.20 patches the issue.
AI Analysis
Technical Summary
CVE-2026-49295 is an out-of-bounds write vulnerability in libde265 versions before 1.0.20. The vulnerability arises in decoder_context::process_reference_picture_set() where the combined count of predicted short-term reference picture set entries can exceed the size of the PocStFoll array (16 entries). While individual list sizes are validated, the aggregate count is not, leading to an out-of-bounds write at index 16. This can be triggered by a crafted H.265 bitstream. The vulnerability is fixed in libde265 version 1.0.20.
Potential Impact
An attacker can cause an out-of-bounds write by supplying a specially crafted H.265 bitstream. This may result in denial of service (application crash) or other undefined behavior due to memory corruption. The CVSS score of 7.1 reflects high severity with network attack vector, low attack complexity, no privileges required, user interaction required, unchanged scope, no confidentiality impact, low integrity impact, and high availability impact.
Mitigation Recommendations
Upgrade libde265 to version 1.0.20 or later, where this out-of-bounds write vulnerability is patched. No other official remediation or temporary fixes are documented. Users should apply this update to mitigate the risk.
CVE-2026-49295: CWE-787: Out-of-bounds Write in strukturag libde265
Description
libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.20, a crafted H.265 bitstream can cause an out-of-bounds array write in `decoder_context::process_reference_picture_set()` (`libde265/decctx.cc:1376`). The root cause is a missing aggregate bound check on predicted short-term reference picture set entries. Individual list sizes are validated, but the combined count after predicted RPS construction can exceed the 16-entry `PocStFoll` array, writing at index 16. Version 1.0.20 patches the issue.
CVSS v3.1
Score 7.1high
Affected software
pkg:github/strukturag/libde265Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-49295 is an out-of-bounds write vulnerability in libde265 versions before 1.0.20. The vulnerability arises in decoder_context::process_reference_picture_set() where the combined count of predicted short-term reference picture set entries can exceed the size of the PocStFoll array (16 entries). While individual list sizes are validated, the aggregate count is not, leading to an out-of-bounds write at index 16. This can be triggered by a crafted H.265 bitstream. The vulnerability is fixed in libde265 version 1.0.20.
Potential Impact
An attacker can cause an out-of-bounds write by supplying a specially crafted H.265 bitstream. This may result in denial of service (application crash) or other undefined behavior due to memory corruption. The CVSS score of 7.1 reflects high severity with network attack vector, low attack complexity, no privileges required, user interaction required, unchanged scope, no confidentiality impact, low integrity impact, and high availability impact.
Mitigation Recommendations
Upgrade libde265 to version 1.0.20 or later, where this out-of-bounds write vulnerability is patched. No other official remediation or temporary fixes are documented. Users should apply this update to mitigate the risk.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-28T20:07:58.862Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a35a6559187273676667ac5
Added to database: 06/19/2026, 20:28:05 UTC
Last enriched: 06/19/2026, 20:42:53 UTC
Last updated: 06/21/2026, 00:28:19 UTC
Views: 18
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.