Listen to this Post
The vulnerability resides in the way libde265, an open-source H.265 decoder, handles a malformed Picture Parameter Set (PPS) NAL unit. When such a unit is parsed, the function `pic_parameter_set::set_derived_values()` is invoked. Due to missing or improper validation of the PPS data, the function attempts to access or compute values based on invalid parameters, leading to a segmentation fault. This crash effectively halts the decoding process, causing a denial of service. The issue affects all versions prior to 1.0.17. The root cause is a logic flaw in the derivation of dependent values from the malformed PPS, which does not account for corrupted or out‑of‑range fields. An attacker can exploit this by supplying a specially crafted H.265 bitstream to any application that uses the vulnerable libde265 version. The crash is immediate and requires no user interaction beyond delivering the malicious file. The patch in version 1.0.17 adds necessary sanity checks before entering the derived‑values routine, preventing the invalid memory access. The vulnerability was reported through GitHub security advisories and fixed with a commit that validates the PPS structure early in the parsing chain.
dailycve form:
Platform: libde265 library
Version: Before 1.0.17
Vulnerability: PPS parsing crash
Severity: Medium
date: 2026-03-20
Prediction: Already patched (1.0.17)
Analytics
What Undercode Say:
Check current libde265 version pkg-config --modversion libde265 Download and compile fixed version wget https://github.com/strukturag/libde265/archive/v1.0.17.tar.gz tar -xzf v1.0.17.tar.gz cd libde265-1.0.17 ./autogen.sh ./configure make && sudo make install Verify patch by testing a malformed sample (if available) Example: ffmpeg -i malicious.hevc -f null -
Exploit:
A remote attacker crafts a H.265 elementary stream containing a corrupted PPS NAL unit. When decoded by an affected application (e.g., a media player, converter, or thumbnailer), `pic_parameter_set::set_derived_values()` accesses uninitialized memory, causing immediate segmentation fault and service interruption.
Protection from this CVE
- Upgrade to libde265 version 1.0.17 or later.
- If upgrading is not immediately possible, sanitize all H.265 inputs using a strict validation layer before passing to the decoder.
- Employ ASLR and non‑executable stack as mitigating measures; however, they do not prevent the crash.
Impact
- Denial of service: any application relying on libde265 becomes unresponsive or crashes.
- May lead to repeated service interruptions if untrusted input is processed (e.g., media servers, image processors).
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

