CVE-2026-49295 strukturag CVE debrief

Who should care

Organizations and individuals using libde265 in their applications or systems should prioritize patching to version 1.0.20 or later. This includes developers and maintainers of software that relies on libde265 for H.265 video decoding. Additionally, security teams and vulnerability managers should be aware of this HIGH severity vulnerability and take steps to mitigate the risk.

Technical summary

The vulnerability is caused by a missing aggregate bound check on predicted short-term reference picture set entries in `decoder_context::process_reference_picture_set()`. This allows a crafted H.265 bitstream to write beyond the bounds of the `PocStFoll` array, which has 16 entries. The issue was patched in version 1.0.20 of libde265. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H.

Defensive priority

High priority due to HIGH severity CVSS score and potential for remote exploitation.

Recommended defensive actions

• Update libde265 to version 1.0.20 or later
• Review and apply patches from official sources
• Inventory systems and applications using libde265
• Monitor for suspicious H.265 bitstream activity
• Limit exposure by restricting access to vulnerable systems

Evidence notes

The vulnerability was published on June 19, 2026, with a CVSS score of 7.1 and a HIGH severity rating. The issue is caused by a missing aggregate bound check in `decoder_context::process_reference_picture_set()`. Affected systems and applications using libde265 versions prior to 1.0.20 are at risk. The vulnerability was patched in version 1.0.20 of libde265.

Official resources