CVE-2026-33164
Published: 20 March 2026
Summary
CVE-2026-33164 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Struktur Libde265. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 26.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-33164 is a vulnerability in libde265, an open-source implementation of the H.265 video codec, affecting versions prior to 1.0.17. A malformed H.265 PPS NAL unit triggers a segmentation fault in the pic_parameter_set::set_derived_values() function. The issue maps to CWE-122 (heap-based buffer overflow) and CWE-476 (NULL pointer dereference), with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high availability impact.
The vulnerability is exploitable remotely by unauthenticated attackers with low attack complexity and no user interaction required. By delivering a specially crafted H.265 video file or stream containing the malformed PPS NAL unit to a vulnerable libde265 instance, an attacker can cause a denial-of-service condition through application crash or segmentation fault, without affecting confidentiality or integrity.
Mitigation is available via an official patch in libde265 version 1.0.17. Security practitioners should upgrade affected deployments to this version or later. Additional details are provided in the GitHub security advisory (GHSA-wqrf-6rf5-v78r) and release notes for v1.0.17.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-13810
Vulnerability details
libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.17, a malformed H.265 PPS NAL unit causes a segmentation fault in pic_parameter_set::set_derived_values(). This issue has been patched in version 1.0.17.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Malformed H.265 PPS NAL unit triggers heap buffer overflow/NULL dereference leading to segfault; directly enables Application or System Exploitation for Endpoint DoS (T1499.004) with no C/I impact.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely identification, reporting, and patching of flaws like the heap buffer overflow and NULL pointer dereference in libde265 prior to version 1.0.17.
Mandates validation of H.265 video inputs to detect and reject malformed PPS NAL units before processing by the vulnerable libde265 decoder.
Implements memory safeguards that directly mitigate heap-based buffer overflows and NULL pointer dereferences causing segmentation faults in libde265.