Source: libde265 Version: 1.0.16-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for libde265. CVE-2026-33165[0]: | libde265 is an open source implementation of the h.265 video codec. | Prior to version 1.0.17, a crafted HEVC bitstream causes an out-of- | bounds heap write confirmed by AddressSanitizer. The trigger is a | stale ctb_info.log2unitSize after an SPS change where | PicWidthInCtbsY and PicHeightInCtbsY stay constant but Log2CtbSizeY | changes, causing set_SliceHeaderIndex to index past the allocated | image metadata array and write 2 bytes past the end of a heap | allocation. This issue has been patched in version 1.0.17. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-33165 https://www.cve.org/CVERecord?id=CVE-2026-33165 [1] https://github.com/strukturag/libde265/security/advisories/GHSA-653q-9f73-8hvg [2] https://github.com/strukturag/libde265/commit/c7891e412106130b83f8e8ea8b7f907e9449b658 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
