Vulnerability DatabaseCVE-2026-49295
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-49295
Published:June 19, 2026
Updated:June 29, 2026
libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.20, a crafted H.265 bitstream can cause an out-of-bounds array write in "decoder_context::process_reference_picture_set()" ("libde265/decctx.cc:1376"). The root cause is a missing aggregate bound check on predicted short-term reference picture set entries. Individual list sizes are validated, but the combined count after predicted RPS construction can exceed the 16-entry "PocStFoll" array, writing at index 16. Version 1.0.20 patches the issue.
Affected Packages
https://github.com/strukturag/libde265.git (GITHUB):
Affected version(s) >=v0.1 <v1.1.0
Fix Suggestion:
Update to version v1.1.0
Related Resources (2)
https://github.com/strukturag/libde265/security/advisories/GHSA-g2rg-wj66-w594
https://github.com/strukturag/libde265/commit/691f3a3c55b3d32478c4a49895dee061a282652b
Do you need more information?
Contact Us
CVSS v4
Base Score:
7.1
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
PASSIVE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
LOW
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
7.1
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
NONE
Integrity
LOW
Availability
HIGH
Weakness Type (CWE)
Out-of-bounds Write
CWE-787
EPSS
Base Score:
0.23