CVE-2026-49337: CWE-770: Allocation of Resources Without Limits or Throttling in strukturag libde265
libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.20, a crafted sequence of H.265 NAL units causes `decoder_context::read_slice_NAL()` (`libde265/decctx.cc:481`) to attach slice headers to a finished picture object that has no active image unit, resulting in attacker-controlled unbounded heap growth. The retained headers are never freed until the picture is released, which may not happen during continuous streaming. Version 1.0.20 patches the issue.
AI Analysis
Technical Summary
CVE-2026-49337 describes a vulnerability in libde265, an open source H.265 video codec implementation. Before version 1.0.20, the function decoder_context::read_slice_NAL() improperly attaches slice headers to a finished picture object lacking an active image unit. This causes attacker-controlled unbounded heap growth due to retained slice headers that are only freed when the picture is released, which may not happen during continuous streaming. This is classified as CWE-770: Allocation of Resources Without Limits or Throttling. The vulnerability has a CVSS 3.1 base score of 4.3, indicating medium severity.
Potential Impact
The vulnerability can cause unbounded heap growth, potentially leading to denial of service conditions due to resource exhaustion. There is no impact on confidentiality or integrity. The issue arises from resource allocation without limits or throttling during video decoding of crafted H.265 streams.
Mitigation Recommendations
Upgrade to libde265 version 1.0.20 or later, where this issue is patched. No other mitigation or temporary workaround is indicated. Patch status is not explicitly stated but the vendor has fixed the issue in version 1.0.20.
CVE-2026-49337: CWE-770: Allocation of Resources Without Limits or Throttling in strukturag libde265
Description
libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.20, a crafted sequence of H.265 NAL units causes `decoder_context::read_slice_NAL()` (`libde265/decctx.cc:481`) to attach slice headers to a finished picture object that has no active image unit, resulting in attacker-controlled unbounded heap growth. The retained headers are never freed until the picture is released, which may not happen during continuous streaming. Version 1.0.20 patches the issue.
CVSS v3.1
Score 4.3medium
Affected software
pkg:github/strukturag/libde265Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-49337 describes a vulnerability in libde265, an open source H.265 video codec implementation. Before version 1.0.20, the function decoder_context::read_slice_NAL() improperly attaches slice headers to a finished picture object lacking an active image unit. This causes attacker-controlled unbounded heap growth due to retained slice headers that are only freed when the picture is released, which may not happen during continuous streaming. This is classified as CWE-770: Allocation of Resources Without Limits or Throttling. The vulnerability has a CVSS 3.1 base score of 4.3, indicating medium severity.
Potential Impact
The vulnerability can cause unbounded heap growth, potentially leading to denial of service conditions due to resource exhaustion. There is no impact on confidentiality or integrity. The issue arises from resource allocation without limits or throttling during video decoding of crafted H.265 streams.
Mitigation Recommendations
Upgrade to libde265 version 1.0.20 or later, where this issue is patched. No other mitigation or temporary workaround is indicated. Patch status is not explicitly stated but the vendor has fixed the issue in version 1.0.20.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-29T14:35:45.902Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a35a6559187273676667ac9
Added to database: 6/19/2026, 8:28:05 PM
Last enriched: 6/19/2026, 8:42:58 PM
Last updated: 6/19/2026, 9:11:58 PM
Views: 1
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.