Unrated severityNVD Advisory· Published Jun 19, 2026· Updated Jun 19, 2026
libde265 has an out-of-bounds write in process_reference_picture_set via predicted short-term RPS
CVE-2026-49295
Description
libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.20, a crafted H.265 bitstream can cause an out-of-bounds array write in decoder_context::process_reference_picture_set() (libde265/decctx.cc:1376). The root cause is a missing aggregate bound check on predicted short-term reference picture set entries. Individual list sizes are validated, but the combined count after predicted RPS construction can exceed the 16-entry PocStFoll array, writing at index 16. Version 1.0.20 patches the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: <1.0.20
Patches
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- github.com/strukturag/libde265/commit/691f3a3c55b3d32478c4a49895dee061a282652bmitrex_refsource_MISC
- github.com/strukturag/libde265/security/advisories/GHSA-g2rg-wj66-w594mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.