What is CVE-2026-33165?

CVE-2026-33165 is a medium-severity vulnerability in Strukturag Libde265, classified under Out-of-bounds Write. CVSS score: 5.5/10. Published 2026-03-20.

How severe is CVE-2026-33165?

Medium severity. CVSS v3 base score is 5.5 out of 10.

Buffer overflow in Strukturag Libde265

CVE-2026-33165

libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.17, a crafted HEVC bitstream causes an out-of-bounds heap write confirmed by AddressSanitizer. The trigger is a stale ctb_info.log2unitSize after an S…

Vulnerability class: Buffer Overflow

EPSS: 0.000 (0.3th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.5 (Medium). Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H.

Affected products

Strukturag Libde265 — versions < 1.0.17

Weakness classification (CWE)

CWE-787 — Out-of-bounds Write

References

https://github.com/strukturag/libde265/security/advisories/GHSA-653q-9f73-8hvg (x_refsource_CONFIRM)
https://github.com/strukturag/libde265/commit/c7891e412106130b83f8e8ea8b7f907e9449b658 (x_refsource_MISC)
https://github.com/strukturag/libde265/releases/tag/v1.0.17 (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-33165?: CVE-2026-33165 is a medium-severity vulnerability in Strukturag Libde265, classified under Out-of-bounds Write. CVSS score: 5.5/10. Published 2026-03-20.
How severe is CVE-2026-33165?: Medium severity. CVSS v3 base score is 5.5 out of 10.