CVE-2026-49337

Publication date 19 June 2026

Last updated 17 July 2026


Ubuntu priority

Cvss 3 Severity Score

4.3 · Medium

Score breakdown

Description

libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.20, a crafted sequence of H.265 NAL units causes `decoder_context::read_slice_NAL()` (`libde265/decctx.cc:481`) to attach slice headers to a finished picture object that has no active image unit, resulting in attacker-controlled unbounded heap growth. The retained headers are never freed until the picture is released, which may not happen during continuous streaming. Version 1.0.20 patches the issue.

Status

Package Ubuntu Release Status
libde265 26.04 LTS resolute
Vulnerable
25.10 questing Ignored end of life, was needs-triage
24.04 LTS noble
Vulnerable
22.04 LTS jammy
Vulnerable
20.04 LTS focal
Vulnerable
18.04 LTS bionic
Vulnerable

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
libde265

Severity score breakdown

CVSS version: CVSS v3.0

Base score 4.3 · Medium

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L


Access our resources on patching vulnerabilities