Cyber Resilience

CVE-2026-33164

HighPublic PoC

Published: 20 March 2026

Published
20 March 2026
Modified
23 March 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0035 26.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-33164 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Struktur Libde265. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 26.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-33164 is a vulnerability in libde265, an open-source implementation of the H.265 video codec, affecting versions prior to 1.0.17. A malformed H.265 PPS NAL unit triggers a segmentation fault in the pic_parameter_set::set_derived_values() function. The issue maps to CWE-122 (heap-based buffer overflow) and CWE-476 (NULL pointer dereference), with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high availability impact.

The vulnerability is exploitable remotely by unauthenticated attackers with low attack complexity and no user interaction required. By delivering a specially crafted H.265 video file or stream containing the malformed PPS NAL unit to a vulnerable libde265 instance, an attacker can cause a denial-of-service condition through application crash or segmentation fault, without affecting confidentiality or integrity.

Mitigation is available via an official patch in libde265 version 1.0.17. Security practitioners should upgrade affected deployments to this version or later. Additional details are provided in the GitHub security advisory (GHSA-wqrf-6rf5-v78r) and release notes for v1.0.17.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.17, a malformed H.265 PPS NAL unit causes a segmentation fault in pic_parameter_set::set_derived_values(). This issue has been patched in version 1.0.17.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Malformed H.265 PPS NAL unit triggers heap buffer overflow/NULL dereference leading to segfault; directly enables Application or System Exploitation for Endpoint DoS (T1499.004) with no C/I impact.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-4652Shared CWE-476
CVE-2026-28224Shared CWE-476
CVE-2023-34398Shared CWE-476
CVE-2025-21285Shared CWE-476
CVE-2026-29169Shared CWE-476
CVE-2025-0755Shared CWE-122
CVE-2026-7378Shared CWE-122
CVE-2026-31964Shared CWE-476
CVE-2026-8035Shared CWE-476
CVE-2025-69252Shared CWE-476

Affected Assets

struktur
libde265
≤ 1.0.17

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and patching of flaws like the heap buffer overflow and NULL pointer dereference in libde265 prior to version 1.0.17.

prevent

Mandates validation of H.265 video inputs to detect and reject malformed PPS NAL units before processing by the vulnerable libde265 decoder.

prevent

Implements memory safeguards that directly mitigate heap-based buffer overflows and NULL pointer dereferences causing segmentation faults in libde265.

References