#1140431 libde265: CVE-2026-49295 CVE-2026-49337 CVE-2026-49346

Package:
src:libde265
Source:
src:libde265
Submitter:
Salvatore Bonaccorso
Date:
2026-06-20 08:53:02 UTC
Severity:
normal
Tags:
#1140431#5
Date:
2026-06-20 08:51:13 UTC
From:
To:
Hi,

The following vulnerabilities were published for libde265.

CVE-2026-49295[0]:
| libde265 is an open source implementation of the h.265 video codec.
| Prior to version 1.0.20, a crafted H.265 bitstream can cause an out-
| of-bounds array write in
| `decoder_context::process_reference_picture_set()`
| (`libde265/decctx.cc:1376`). The root cause is a missing aggregate
| bound check on predicted short-term reference picture set entries.
| Individual list sizes are validated, but the combined count after
| predicted RPS construction can exceed the 16-entry `PocStFoll`
| array, writing at index 16. Version 1.0.20 patches the issue.


CVE-2026-49337[1]:
| libde265 is an open source implementation of the h.265 video codec.
| Prior to version 1.0.20, a crafted sequence of H.265 NAL units
| causes `decoder_context::read_slice_NAL()`
| (`libde265/decctx.cc:481`) to attach slice headers to a finished
| picture object that has no active image unit, resulting in attacker-
| controlled unbounded heap growth. The retained headers are never
| freed until the picture is released, which may not happen during
| continuous streaming. Version 1.0.20 patches the issue.


CVE-2026-49346[2]:
| libde265 is an open source implementation of the h.265 video codec.
| Prior to version 1.1.0, a crafted H.265 bitstream with large SPS
| dimensions and 16-bit bit depth causes a signed integer overflow in
| `de265_image_get_buffer()` (`libde265/image.cc:128`). The overflow
| wraps the plane allocation size to a small value (~1 KB), but the
| subsequent `fill_image()` call computes the real size using
| `size_t`, writing ~4 GB into the undersized heap buffer. Version
| 1.1.0 patches the issue.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-49295
https://www.cve.org/CVERecord?id=CVE-2026-49295
[1] https://security-tracker.debian.org/tracker/CVE-2026-49337
https://www.cve.org/CVERecord?id=CVE-2026-49337
[2] https://security-tracker.debian.org/tracker/CVE-2026-49346
https://www.cve.org/CVERecord?id=CVE-2026-49346

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore