strukturag/libde265

GitHub

github.com

Releases32

Frequency4 months 4 weeks

Last Release about 18 hours ago

Stars1.89K

Open h.265 video codec implementation.

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2026-33165 ↗	Mar 20, 2026Friday, 20 March 2026, 21:17	5.5 MEDIUM	—
libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.17, a crafted HEVC bitstream causes an out-of-bounds heap write confirmed by AddressSanitizer. The trigger is a stale ctb_info.log2unitSize after an SPS change where PicWidthInCtbsY and PicHeightInCtbsY stay constant but Log2CtbSizeY changes, causing set_SliceHeaderIndex to index past the allocated image metadata array and write 2 bytes past the end of a heap allocation. This issue has been patched in version 1.0.17.
CVE-2026-33164 ↗	Mar 20, 2026Friday, 20 March 2026, 21:17	7.5 HIGH	—
libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.17, a malformed H.265 PPS NAL unit causes a segmentation fault in pic_parameter_set::set_derived_values(). This issue has been patched in version 1.0.17.
CVE-2025-61147 ↗	Feb 23, 2026Monday, 23 February 2026, 20:28	6.2 MEDIUM	—
strukturag libde265 commit d9fea9d wa discovered to contain a segmentation fault via the component decoder_context::compute_framedrop_table().
CVE-2024-38949 ↗	Jun 26, 2024Wednesday, 26 June 2024, 20:15	6.5 MEDIUM	—
Heap Buffer Overflow vulnerability in Libde265 v1.0.15 allows attackers to crash the application via crafted payload to display444as420 function at sdl.cc
CVE-2024-38950 ↗	Jun 26, 2024Wednesday, 26 June 2024, 20:15	6.5 MEDIUM	—
Heap Buffer Overflow vulnerability in Libde265 v1.0.15 allows attackers to crash the application via crafted payload to __interceptor_memcpy function.
CVE-2023-51792 ↗	Apr 19, 2024Friday, 19 April 2024, 17:15	3.3 LOW	—
Buffer Overflow vulnerability in libde265 v1.0.12 allows a local attacker to cause a denial of service via the allocation size exceeding the maximum supported size of 0x10000000000.
CVE-2023-49468 ↗	Dec 7, 2023Thursday, 7 December 2023, 20:15	8.8 HIGH	—
Libde265 v1.0.14 was discovered to contain a global buffer overflow vulnerability in the read_coding_unit function at slice.cc.
CVE-2023-49467 ↗	Dec 7, 2023Thursday, 7 December 2023, 20:15	8.8 HIGH	—
Libde265 v1.0.14 was discovered to contain a heap-buffer-overflow vulnerability in the derive_combined_bipredictive_merging_candidates function at motion.cc.
CVE-2023-49465 ↗	Dec 7, 2023Thursday, 7 December 2023, 20:15	8.8 HIGH	—
Libde265 v1.0.14 was discovered to contain a heap-buffer-overflow vulnerability in the derive_spatial_luma_vector_prediction function at motion.cc.
CVE-2023-43887 ↗	Nov 22, 2023Wednesday, 22 November 2023, 18:15	8.1 HIGH	—
Libde265 v1.0.12 was discovered to contain multiple buffer overflows via the num_tile_columns and num_tile_row parameters in the function pic_parameter_set::dump.
CVE-2023-47471 ↗	Nov 16, 2023Thursday, 16 November 2023, 04:15	6.5 MEDIUM	—
Buffer Overflow vulnerability in strukturag libde265 v1.10.12 allows a local attacker to cause a denial of service via the slice_segment_header function in the slice.cc component.
CVE-2023-27103 ↗	Mar 15, 2023Wednesday, 15 March 2023, 15:15	8.8 HIGH	—
Libde265 v1.0.11 was discovered to contain a heap buffer overflow via the function derive_collocated_motion_vectors at motion.cc.
CVE-2023-27102 ↗	Mar 15, 2023Wednesday, 15 March 2023, 15:15	6.5 MEDIUM	—
Libde265 v1.0.11 was discovered to contain a segmentation violation via the function decoder_context::process_slice_segment_header at decctx.cc.
CVE-2022-47665 ↗	Mar 3, 2023Friday, 3 March 2023, 15:15	7.8 HIGH	—
Libde265 1.0.9 has a heap buffer overflow vulnerability in de265_image::set_SliceAddrRS(int, int, int)
CVE-2022-47664 ↗	Mar 3, 2023Friday, 3 March 2023, 15:15	7.8 HIGH	—
Libde265 1.0.9 is vulnerable to Buffer Overflow in ff_hevc_put_hevc_qpel_pixels_8_sse
CVE-2023-25221 ↗	Mar 1, 2023Wednesday, 1 March 2023, 15:15	7.8 HIGH	—
Libde265 v1.0.10 was discovered to contain a heap-buffer-overflow vulnerability in the derive_spatial_luma_vector_prediction function in motion.cc.
CVE-2023-24758 ↗	Mar 1, 2023Wednesday, 1 March 2023, 15:15	5.5 MEDIUM	—
libde265 v1.0.10 was discovered to contain a NULL pointer dereference in the ff_hevc_put_weighted_pred_avg_8_sse function at sse-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input file.
CVE-2023-24756 ↗	Mar 1, 2023Wednesday, 1 March 2023, 15:15	5.5 MEDIUM	—
libde265 v1.0.10 was discovered to contain a NULL pointer dereference in the ff_hevc_put_unweighted_pred_8_sse function at sse-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input file.
CVE-2023-24755 ↗	Mar 1, 2023Wednesday, 1 March 2023, 15:15	5.5 MEDIUM	—
libde265 v1.0.10 was discovered to contain a NULL pointer dereference in the put_weighted_pred_8_fallback function at fallback-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input file.
CVE-2023-24754 ↗	Mar 1, 2023Wednesday, 1 March 2023, 15:15	5.5 MEDIUM	—
libde265 v1.0.10 was discovered to contain a NULL pointer dereference in the ff_hevc_put_weighted_pred_avg_8_sse function at sse-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input file.
CVE-2023-24752 ↗	Mar 1, 2023Wednesday, 1 March 2023, 15:15	5.5 MEDIUM	—
libde265 v1.0.10 was discovered to contain a NULL pointer dereference in the ff_hevc_put_hevc_epel_pixels_8_sse function at sse-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input file.
CVE-2023-24751 ↗	Mar 1, 2023Wednesday, 1 March 2023, 15:15	6.5 MEDIUM	—
libde265 v1.0.10 was discovered to contain a NULL pointer dereference in the mc_chroma function at motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input file.
CVE-2023-24757 ↗	Mar 1, 2023Wednesday, 1 March 2023, 15:15	5.5 MEDIUM	—
libde265 v1.0.10 was discovered to contain a NULL pointer dereference in the put_unweighted_pred_16_fallback function at fallback-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input file.
CVE-2022-47655 ↗	Jan 5, 2023Thursday, 5 January 2023, 16:15	7.8 HIGH	—
Libde265 1.0.9 is vulnerable to Buffer Overflow in function void put_qpel_fallback<unsigned short>
CVE-2022-43253 ↗	Nov 2, 2022Wednesday, 2 November 2022, 14:15	6.5 MEDIUM	—
Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via put_unweighted_pred_16_fallback in fallback-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file.
CVE-2022-43252 ↗	Nov 2, 2022Wednesday, 2 November 2022, 14:15	6.5 MEDIUM	—
Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via put_epel_16_fallback in fallback-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file.
CVE-2022-43248 ↗	Nov 2, 2022Wednesday, 2 November 2022, 14:15	6.5 MEDIUM	—
Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via put_weighted_pred_avg_16_fallback in fallback-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file.
CVE-2022-43250 ↗	Nov 2, 2022Wednesday, 2 November 2022, 14:15	6.5 MEDIUM	—
Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via put_qpel_0_0_fallback_16 in fallback-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file.
CVE-2022-43249 ↗	Nov 2, 2022Wednesday, 2 November 2022, 14:15	6.5 MEDIUM	—
Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via put_epel_hv_fallback<unsigned short> in fallback-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file.
CVE-2022-43245 ↗	Nov 2, 2022Wednesday, 2 November 2022, 14:15	6.5 MEDIUM	—
Libde265 v1.0.8 was discovered to contain a segmentation violation via apply_sao_internal<unsigned short> in sao.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file.
CVE-2022-43243 ↗	Nov 2, 2022Wednesday, 2 November 2022, 14:15	6.5 MEDIUM	—
Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via ff_hevc_put_weighted_pred_avg_8_sse in sse-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file.
CVE-2022-43239 ↗	Nov 2, 2022Wednesday, 2 November 2022, 14:15	6.5 MEDIUM	—
Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via mc_chroma<unsigned short> in motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file.
CVE-2022-43244 ↗	Nov 2, 2022Wednesday, 2 November 2022, 14:15	6.5 MEDIUM	—
Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via put_qpel_fallback<unsigned short> in fallback-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file.
CVE-2022-43242 ↗	Nov 2, 2022Wednesday, 2 November 2022, 14:15	6.5 MEDIUM	—
Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via mc_luma<unsigned char> in motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file.
CVE-2022-43241 ↗	Nov 2, 2022Wednesday, 2 November 2022, 14:15	6.5 MEDIUM	—
Libde265 v1.0.8 was discovered to contain an unknown crash via ff_hevc_put_hevc_qpel_v_3_8_sse in sse-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file.
CVE-2022-43240 ↗	Nov 2, 2022Wednesday, 2 November 2022, 14:15	6.5 MEDIUM	—
Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via ff_hevc_put_hevc_qpel_h_2_v_1_sse in sse-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file.
CVE-2022-43238 ↗	Nov 2, 2022Wednesday, 2 November 2022, 14:15	6.5 MEDIUM	—
Libde265 v1.0.8 was discovered to contain an unknown crash via ff_hevc_put_hevc_qpel_h_3_v_3_sse in sse-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file.
CVE-2022-43237 ↗	Nov 2, 2022Wednesday, 2 November 2022, 14:15	6.5 MEDIUM	—
Libde265 v1.0.8 was discovered to contain a stack-buffer-overflow vulnerability via void put_epel_hv_fallback<unsigned short> in fallback-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file.
CVE-2022-43236 ↗	Nov 2, 2022Wednesday, 2 November 2022, 14:15	6.5 MEDIUM	—
Libde265 v1.0.8 was discovered to contain a stack-buffer-overflow vulnerability via put_qpel_fallback<unsigned short> in fallback-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file.
CVE-2022-43235 ↗	Nov 2, 2022Wednesday, 2 November 2022, 14:15	6.5 MEDIUM	—
Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via ff_hevc_put_hevc_epel_pixels_8_sse in sse-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file.
CVE-2022-1253 ↗	Apr 6, 2022Wednesday, 6 April 2022, 12:15	9.8 CRITICAL	7.5 HIGH
Heap-based Buffer Overflow in GitHub repository strukturag/libde265 prior to and including 1.0.8. The fix is established in commit 8e89fe0e175d2870c39486fdd09250b230ec10b8 but does not yet belong to an official release.
CVE-2021-36409 ↗	Jan 10, 2022Monday, 10 January 2022, 23:15	7.8 HIGH	6.8 MEDIUM
There is an Assertion `scaling_list_pred_matrix_id_delta==1' failed at sps.cc:925 in libde265 v1.0.8 when decoding file, which allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file or possibly have unspecified other impact.
CVE-2021-36411 ↗	Jan 10, 2022Monday, 10 January 2022, 23:15	5.5 MEDIUM	4.3 MEDIUM
An issue has been found in libde265 v1.0.8 due to incorrect access control. A SEGV caused by a READ memory access in function derive_boundaryStrength of deblock.cc has occurred. The vulnerability causes a segmentation fault and application crash, which leads to remote denial of service.
CVE-2021-36410 ↗	Jan 10, 2022Monday, 10 January 2022, 23:15	5.5 MEDIUM	4.3 MEDIUM
A stack-buffer-overflow exists in libde265 v1.0.8 via fallback-motion.cc in function put_epel_hv_fallback when running program dec265.
CVE-2021-36408 ↗	Jan 10, 2022Monday, 10 January 2022, 23:15	5.5 MEDIUM	4.3 MEDIUM
An issue was discovered in libde265 v1.0.8.There is a Heap-use-after-free in intrapred.h when decoding file using dec265.
CVE-2021-35452 ↗	Jan 10, 2022Monday, 10 January 2022, 22:15	6.5 MEDIUM	4.3 MEDIUM
An Incorrect Access Control vulnerability exists in libde265 v1.0.8 due to a SEGV in slice.cc.
CVE-2020-21602 ↗	Sep 16, 2021Thursday, 16 September 2021, 22:15	6.5 MEDIUM	4.3 MEDIUM
libde265 v1.0.4 contains a heap buffer overflow in the put_weighted_bipred_16_fallback function, which can be exploited via a crafted a file.
CVE-2020-21606 ↗	Sep 16, 2021Thursday, 16 September 2021, 22:15	6.5 MEDIUM	4.3 MEDIUM
libde265 v1.0.4 contains a heap buffer overflow fault in the put_epel_16_fallback function, which can be exploited via a crafted a file.
CVE-2020-21605 ↗	Sep 16, 2021Thursday, 16 September 2021, 22:15	6.5 MEDIUM	4.3 MEDIUM
libde265 v1.0.4 contains a segmentation fault in the apply_sao_internal function, which can be exploited via a crafted a file.
CVE-2020-21604 ↗	Sep 16, 2021Thursday, 16 September 2021, 22:15	6.5 MEDIUM	4.3 MEDIUM
libde265 v1.0.4 contains a heap buffer overflow fault in the _mm_loadl_epi64 function, which can be exploited via a crafted a file.
CVE-2020-21603 ↗	Sep 16, 2021Thursday, 16 September 2021, 22:15	6.5 MEDIUM	4.3 MEDIUM
libde265 v1.0.4 contains a heap buffer overflow in the put_qpel_0_0_fallback_16 function, which can be exploited via a crafted a file.
CVE-2020-21594 ↗	Sep 16, 2021Thursday, 16 September 2021, 22:15	6.5 MEDIUM	4.3 MEDIUM
libde265 v1.0.4 contains a heap buffer overflow in the put_epel_hv_fallback function, which can be exploited via a crafted a file.
CVE-2020-21601 ↗	Sep 16, 2021Thursday, 16 September 2021, 22:15	6.5 MEDIUM	4.3 MEDIUM
libde265 v1.0.4 contains a stack buffer overflow in the put_qpel_fallback function, which can be exploited via a crafted a file.
CVE-2020-21600 ↗	Sep 16, 2021Thursday, 16 September 2021, 22:15	6.5 MEDIUM	4.3 MEDIUM
libde265 v1.0.4 contains a heap buffer overflow in the put_weighted_pred_avg_16_fallback function, which can be exploited via a crafted a file.
CVE-2020-21599 ↗	Sep 16, 2021Thursday, 16 September 2021, 22:15	6.5 MEDIUM	4.3 MEDIUM
libde265 v1.0.4 contains a heap buffer overflow in the de265_image::available_zscan function, which can be exploited via a crafted a file.
CVE-2020-21598 ↗	Sep 16, 2021Thursday, 16 September 2021, 22:15	8.8 HIGH	6.8 MEDIUM
libde265 v1.0.4 contains a heap buffer overflow in the ff_hevc_put_unweighted_pred_8_sse function, which can be exploited via a crafted a file.
CVE-2020-21597 ↗	Sep 16, 2021Thursday, 16 September 2021, 22:15	6.5 MEDIUM	4.3 MEDIUM
libde265 v1.0.4 contains a heap buffer overflow in the mc_chroma function, which can be exploited via a crafted a file.
CVE-2020-21596 ↗	Sep 16, 2021Thursday, 16 September 2021, 22:15	6.5 MEDIUM	4.3 MEDIUM
libde265 v1.0.4 contains a global buffer overflow in the decode_CABAC_bit function, which can be exploited via a crafted a file.
CVE-2020-21595 ↗	Sep 16, 2021Thursday, 16 September 2021, 22:15	6.5 MEDIUM	4.3 MEDIUM
libde265 v1.0.4 contains a heap buffer overflow in the mc_luma function, which can be exploited via a crafted a file.