CVE-2026-49295

Name	CVE-2026-49295
Description	libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.20, a crafted H.265 bitstream can cause an out-of-bounds array write in `decoder_context::process_reference_picture_set()` (`libde265/decctx.cc:1376`). The root cause is a missing aggregate bound check on predicted short-term reference picture set entries. Individual list sizes are validated, but the combined count after predicted RPS construction can exceed the 16-entry `PocStFoll` array, writing at index 16. Version 1.0.20 patches the issue.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs	1140431

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
libde265 (PTS)	bullseye	1.0.11-0+deb11u3	vulnerable
	bullseye (security)	1.0.11-0+deb11u4	vulnerable
	bookworm	1.0.11-1+deb12u2	vulnerable
	trixie	1.0.15-1	vulnerable
	forky, sid	1.0.18-1	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
libde265	source	(unstable)	(unfixed)			1140431

Notes

https://github.com/strukturag/libde265/security/advisories/GHSA-g2rg-wj66-w594
Fixed by: https://github.com/strukturag/libde265/commit/691f3a3c55b3d32478c4a49895dee061a282652 (v1.1.0)