Listen to this Post
CVE-2025-61147 affects the libde265 H.265/HEVC video decoder, specifically the `decoder_context::compute_framedrop_table()` function. This function is invoked during the frame dropping logic when processing video streams. The vulnerability stems from improper validation of input data in the affected commit d9fea9d, where a malformed or crafted bitstream can cause a null pointer dereference or invalid memory access. As a result, the decoder attempts to read or write memory that has not been allocated or is out of bounds, triggering a segmentation fault.
The crash occurs deep within the decoder’s context management, as `compute_framedrop_table()` iterates over frames without adequate checks for the presence of required metadata. Attackers can exploit this by supplying a specially crafted HEVC file that triggers the flaw during playback or transcoding. This leads to an abrupt termination of the application using libde265, resulting in a denial-of-service condition. The vulnerability is present in all versions that include the vulnerable commit, and it can be triggered remotely if the library processes untrusted input. A patch is expected to replace the flawed logic with proper boundary and state checks, eliminating the unsafe memory operation.
dailycve form:
Platform: libde265
Version: commit d9fea9d
Vulnerability: Segmentation Fault
Severity: Medium
date: 02/23/2026
Prediction: March 24, 2026
Analytics under What Undercode Say:
Clone the vulnerable commit git clone https://github.com/strukturag/libde265.git cd libde265 git checkout d9fea9d Build with debug symbols ./autogen.sh ./configure --enable-debug make Run fuzzer or PoC against decoder ./dec265 --debug poc.hevc Use GDB to capture crash gdb --args ./dec265 poc.hevc (gdb) run (gdb) bt
Exploit:
Craft an HEVC file that triggers the `compute_framedrop_table()` function with missing frame context. When processed, the decoder dereferences a null pointer, causing a segmentation fault. No memory corruption beyond the crash is currently known, making it primarily a DoS vector.
Protection from this CVE
Update libde265 to a version that includes the fix (e.g., after commit d9fea9d). Until patched, avoid processing untrusted HEVC streams. Use application-layer wrappers that isolate the decoder to prevent service interruptions.
Impact
Denial of service – any application using the vulnerable libde265 version can be crashed by a malicious video file, disrupting media processing pipelines or playback services.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

