CVE-2026-49346 strukturag CVE debrief

Who should care

Organizations using libde265 or products that incorporate libde265 for H.265 video decoding should prioritize patching. This includes developers and maintainers of applications, systems, or devices that rely on libde265 for video processing. The high CVSS score indicates a significant risk, especially for applications exposed to untrusted video sources.

Technical summary

The vulnerability exists in the `de265_image_get_buffer()` function in `libde265/image.cc`. A crafted H.265 bitstream with large SPS dimensions and 16-bit bit depth causes a signed integer overflow. This overflow wraps the plane allocation size to a small value (~1 KB). However, the subsequent `fill_image()` call computes the real size using `size_t`, resulting in writing approximately 4 GB into the undersized heap buffer. The issue was fixed in libde265 version 1.1.0.

Defensive priority

High priority due to CVSS score of 7.1 and potential for remote exploitation.

Recommended defensive actions

• Inventory and assess the use of libde265 in your products or applications.
• Review and apply the official patch to upgrade to libde265 version 1.1.0 or later.
• Monitor for any compensating controls that may mitigate exposure.
• Verify the integrity of video sources to reduce the risk of crafted bitstreams.
• Track exceptions for any systems or applications that cannot be patched immediately.

Evidence notes

The CVE record and NVD detail provide information on the vulnerability. The issue is caused by a signed integer overflow in `de265_image_get_buffer()`, leading to a heap buffer overflow. The CVE was published and modified on June 19, 2026. References include commits and advisories from the libde265 GitHub repository.

Official resources