NVD Vulnerability Detail

Search Exploit, PoC

NVD脆弱性検索トップ

->

NVD Vulnerability Detail

CVE-2026-49337

Summary	libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.20, a crafted sequence of H.265 NAL units causes `decoder_context::read_slice_NAL()` (`libde265/decctx.cc:481`) to attach slice headers to a finished picture object that has no active image unit, resulting in attacker-controlled unbounded heap growth. The retained headers are never freed until the picture is released, which may not happen during continuous streaming. Version 1.0.20 patches the issue.
Publication Date	June 20, 2026, 6:17 a.m.
Registration Date	June 27, 2026, 4:07 a.m.
Last Update	June 24, 2026, 12:44 a.m.

CVSS3.1 : MEDIUM
スコア	4.3
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	低
攻撃に必要な特権レベル(PR)	不要
利用者の関与(UI)	要
影響の想定範囲(S)	変更なし
機密性への影響(C)	なし
完全性への影響(I)	なし
可用性への影響(A)	低

Related information, measures and tools

No	URL	refsource	タグ
1	https://github.com/strukturag/libde265/commit/683cb9fa603e35840642f98765ab95cdb71cadf9	security-advisories@github.com
2	https://github.com/strukturag/libde265/security/advisories/GHSA-g5hj-rf9f-7vxm	security-advisories@github.com
3	https://github.com/strukturag/libde265/security/advisories/GHSA-g5hj-rf9f-7vxm	134c704f-9b21-4f2e-91b3-4a467353bcc0

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-770	制限またはスロットリング無しのリソースの割り当て	https://cwe.mitre.org/data/definitions/770.html