libde265, Segmentation Fault, CVE-2025-61147 (Medium)

Listen to this Post

CVE-2025-61147 affects the libde265 H.265/HEVC video decoder, specifically the `decoder_context::compute_framedrop_table()` function. This function is invoked during the frame dropping logic when processing video streams. The vulnerability stems from improper validation of input data in the affected commit d9fea9d, where a malformed or crafted bitstream can cause a null pointer dereference or invalid memory access. As a result, the decoder attempts to read or write memory that has not been allocated or is out of bounds, triggering a segmentation fault.
The crash occurs deep within the decoder’s context management, as `compute_framedrop_table()` iterates over frames without adequate checks for the presence of required metadata. Attackers can exploit this by supplying a specially crafted HEVC file that triggers the flaw during playback or transcoding. This leads to an abrupt termination of the application using libde265, resulting in a denial-of-service condition. The vulnerability is present in all versions that include the vulnerable commit, and it can be triggered remotely if the library processes untrusted input. A patch is expected to replace the flawed logic with proper boundary and state checks, eliminating the unsafe memory operation.

dailycve form:

Platform: libde265
Version: commit d9fea9d
Vulnerability: Segmentation Fault
Severity: Medium
date: 02/23/2026

Prediction: March 24, 2026

Analytics under What Undercode Say:

Clone the vulnerable commit
git clone https://github.com/strukturag/libde265.git
cd libde265
git checkout d9fea9d
Build with debug symbols
./autogen.sh
./configure --enable-debug
make
Run fuzzer or PoC against decoder
./dec265 --debug poc.hevc
Use GDB to capture crash
gdb --args ./dec265 poc.hevc
(gdb) run
(gdb) bt

Exploit:

Craft an HEVC file that triggers the `compute_framedrop_table()` function with missing frame context. When processed, the decoder dereferences a null pointer, causing a segmentation fault. No memory corruption beyond the crash is currently known, making it primarily a DoS vector.

Protection from this CVE

Update libde265 to a version that includes the fix (e.g., after commit d9fea9d). Until patched, avoid processing untrusted HEVC streams. Use application-layer wrappers that isolate the decoder to prevent service interruptions.

Impact

Denial of service – any application using the vulnerable libde265 version can be crashed by a malicious video file, disrupting media processing pipelines or playback services.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top