Source: libde265 Version: 1.0.18-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for libde265. CVE-2026-49295[0]: | libde265 is an open source implementation of the h.265 video codec. | Prior to version 1.0.20, a crafted H.265 bitstream can cause an out- | of-bounds array write in | `decoder_context::process_reference_picture_set()` | (`libde265/decctx.cc:1376`). The root cause is a missing aggregate | bound check on predicted short-term reference picture set entries. | Individual list sizes are validated, but the combined count after | predicted RPS construction can exceed the 16-entry `PocStFoll` | array, writing at index 16. Version 1.0.20 patches the issue. CVE-2026-49337[1]: | libde265 is an open source implementation of the h.265 video codec. | Prior to version 1.0.20, a crafted sequence of H.265 NAL units | causes `decoder_context::read_slice_NAL()` | (`libde265/decctx.cc:481`) to attach slice headers to a finished | picture object that has no active image unit, resulting in attacker- | controlled unbounded heap growth. The retained headers are never | freed until the picture is released, which may not happen during | continuous streaming. Version 1.0.20 patches the issue. CVE-2026-49346[2]: | libde265 is an open source implementation of the h.265 video codec. | Prior to version 1.1.0, a crafted H.265 bitstream with large SPS | dimensions and 16-bit bit depth causes a signed integer overflow in | `de265_image_get_buffer()` (`libde265/image.cc:128`). The overflow | wraps the plane allocation size to a small value (~1 KB), but the | subsequent `fill_image()` call computes the real size using | `size_t`, writing ~4 GB into the undersized heap buffer. Version | 1.1.0 patches the issue. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-49295 https://www.cve.org/CVERecord?id=CVE-2026-49295 [1] https://security-tracker.debian.org/tracker/CVE-2026-49337 https://www.cve.org/CVERecord?id=CVE-2026-49337 [2] https://security-tracker.debian.org/tracker/CVE-2026-49346 https://www.cve.org/CVERecord?id=CVE-2026-49346 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
