Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-49295
PUBLISHED
More InfoOfficial Page
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
View Known Exploited Vulnerability (KEV) details
Published At-19 Jun, 2026 | 20:09
Updated At-22 Jun, 2026 | 17:18
Rejected At-
▼CVE Numbering Authority (CNA)
libde265 has an out-of-bounds write in process_reference_picture_set via predicted short-term RPS

libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.20, a crafted H.265 bitstream can cause an out-of-bounds array write in `decoder_context::process_reference_picture_set()` (`libde265/decctx.cc:1376`). The root cause is a missing aggregate bound check on predicted short-term reference picture set entries. Individual list sizes are validated, but the combined count after predicted RPS construction can exceed the 16-entry `PocStFoll` array, writing at index 16. Version 1.0.20 patches the issue.

Affected Products
Vendor
strukturag
Product
libde265
Versions
Affected
  • < 1.0.20
Problem Types
TypeCWE IDDescription
CWECWE-787CWE-787: Out-of-bounds Write
Type: CWE
CWE ID: CWE-787
Description: CWE-787: Out-of-bounds Write
Metrics
VersionBase scoreBase severityVector
3.17.1HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Version: 3.1
Base score: 7.1
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/strukturag/libde265/security/advisories/GHSA-g2rg-wj66-w594
x_refsource_CONFIRM
https://github.com/strukturag/libde265/commit/691f3a3c55b3d32478c4a49895dee061a282652b
x_refsource_MISC
Hyperlink: https://github.com/strukturag/libde265/security/advisories/GHSA-g2rg-wj66-w594
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/strukturag/libde265/commit/691f3a3c55b3d32478c4a49895dee061a282652b
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/strukturag/libde265/security/advisories/GHSA-g2rg-wj66-w594
exploit
Hyperlink: https://github.com/strukturag/libde265/security/advisories/GHSA-g2rg-wj66-w594
Resource:
exploit
Details not found