libde265 - Debian Package Tracker

general

source: libde265 (main)
version: 1.0.18-1
maintainer: Debian Multimedia Maintainers (archive) (DMD)
uploaders: Alessio Treglia [DMD] – Joachim Bauch [DMD]
arch: any
std-ver: 4.7.3
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1.0.11-0+deb11u3
o-o-sec: 1.0.11-0+deb11u4
oldstable: 1.0.11-1+deb12u2
stable: 1.0.15-1
testing: 1.0.18-1
unstable: 1.0.18-1

versioned links

1.0.11-0+deb11u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.0.11-0+deb11u4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.0.11-1+deb12u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.0.15-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.0.18-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libde265-0
libde265-dev (1 bugs: 0, 0, 1, 0)
libde265-examples

action needed

A new upstream version is available: 1.1.1 high

A new upstream version 1.1.1 is available, you should consider packaging it.

Created: 2026-05-21 Last update: 2026-06-27 02:00

7 security issues in trixie high

There are 7 open security issues in trixie.

5 important issues:

CVE-2026-33164: libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.17, a malformed H.265 PPS NAL unit causes a segmentation fault in pic_parameter_set::set_derived_values(). This issue has been patched in version 1.0.17.
CVE-2026-33165: libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.17, a crafted HEVC bitstream causes an out-of-bounds heap write confirmed by AddressSanitizer. The trigger is a stale ctb_info.log2unitSize after an SPS change where PicWidthInCtbsY and PicHeightInCtbsY stay constant but Log2CtbSizeY changes, causing set_SliceHeaderIndex to index past the allocated image metadata array and write 2 bytes past the end of a heap allocation. This issue has been patched in version 1.0.17.
CVE-2026-49295: libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.20, a crafted H.265 bitstream can cause an out-of-bounds array write in `decoder_context::process_reference_picture_set()` (`libde265/decctx.cc:1376`). The root cause is a missing aggregate bound check on predicted short-term reference picture set entries. Individual list sizes are validated, but the combined count after predicted RPS construction can exceed the 16-entry `PocStFoll` array, writing at index 16. Version 1.0.20 patches the issue.
CVE-2026-49337: libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.20, a crafted sequence of H.265 NAL units causes `decoder_context::read_slice_NAL()` (`libde265/decctx.cc:481`) to attach slice headers to a finished picture object that has no active image unit, resulting in attacker-controlled unbounded heap growth. The retained headers are never freed until the picture is released, which may not happen during continuous streaming. Version 1.0.20 patches the issue.
CVE-2026-49346: libde265 is an open source implementation of the h.265 video codec. Prior to version 1.1.0, a crafted H.265 bitstream with large SPS dimensions and 16-bit bit depth causes a signed integer overflow in `de265_image_get_buffer()` (`libde265/image.cc:128`). The overflow wraps the plane allocation size to a small value (~1 KB), but the subsequent `fill_image()` call computes the real size using `size_t`, writing ~4 GB into the undersized heap buffer. Version 1.1.0 patches the issue.

2 issues left for the package maintainer to handle:

CVE-2024-38949: (postponed; to be fixed through a stable update) Heap Buffer Overflow vulnerability in Libde265 v1.0.15 allows attackers to crash the application via crafted payload to display444as420 function at sdl.cc
CVE-2024-38950: (postponed; to be fixed through a stable update) Heap Buffer Overflow vulnerability in Libde265 v1.0.15 allows attackers to crash the application via crafted payload to __interceptor_memcpy function.

You can find information about how to handle these issues in the security team's documentation.

Created: 2025-08-09 Last update: 2026-06-20 11:01

5 security issues in sid high

There are 5 open security issues in sid.

5 important issues:

CVE-2024-38949: Heap Buffer Overflow vulnerability in Libde265 v1.0.15 allows attackers to crash the application via crafted payload to display444as420 function at sdl.cc
CVE-2024-38950: Heap Buffer Overflow vulnerability in Libde265 v1.0.15 allows attackers to crash the application via crafted payload to __interceptor_memcpy function.
CVE-2026-49295: libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.20, a crafted H.265 bitstream can cause an out-of-bounds array write in `decoder_context::process_reference_picture_set()` (`libde265/decctx.cc:1376`). The root cause is a missing aggregate bound check on predicted short-term reference picture set entries. Individual list sizes are validated, but the combined count after predicted RPS construction can exceed the 16-entry `PocStFoll` array, writing at index 16. Version 1.0.20 patches the issue.
CVE-2026-49337: libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.20, a crafted sequence of H.265 NAL units causes `decoder_context::read_slice_NAL()` (`libde265/decctx.cc:481`) to attach slice headers to a finished picture object that has no active image unit, resulting in attacker-controlled unbounded heap growth. The retained headers are never freed until the picture is released, which may not happen during continuous streaming. Version 1.0.20 patches the issue.
CVE-2026-49346: libde265 is an open source implementation of the h.265 video codec. Prior to version 1.1.0, a crafted H.265 bitstream with large SPS dimensions and 16-bit bit depth causes a signed integer overflow in `de265_image_get_buffer()` (`libde265/image.cc:128`). The overflow wraps the plane allocation size to a small value (~1 KB), but the subsequent `fill_image()` call computes the real size using `size_t`, writing ~4 GB into the undersized heap buffer. Version 1.1.0 patches the issue.

Created: 2024-06-27 Last update: 2026-06-20 11:01

5 security issues in forky high

There are 5 open security issues in forky.

5 important issues:

CVE-2024-38949: Heap Buffer Overflow vulnerability in Libde265 v1.0.15 allows attackers to crash the application via crafted payload to display444as420 function at sdl.cc
CVE-2024-38950: Heap Buffer Overflow vulnerability in Libde265 v1.0.15 allows attackers to crash the application via crafted payload to __interceptor_memcpy function.
CVE-2026-49295: libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.20, a crafted H.265 bitstream can cause an out-of-bounds array write in `decoder_context::process_reference_picture_set()` (`libde265/decctx.cc:1376`). The root cause is a missing aggregate bound check on predicted short-term reference picture set entries. Individual list sizes are validated, but the combined count after predicted RPS construction can exceed the 16-entry `PocStFoll` array, writing at index 16. Version 1.0.20 patches the issue.
CVE-2026-49337: libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.20, a crafted sequence of H.265 NAL units causes `decoder_context::read_slice_NAL()` (`libde265/decctx.cc:481`) to attach slice headers to a finished picture object that has no active image unit, resulting in attacker-controlled unbounded heap growth. The retained headers are never freed until the picture is released, which may not happen during continuous streaming. Version 1.0.20 patches the issue.
CVE-2026-49346: libde265 is an open source implementation of the h.265 video codec. Prior to version 1.1.0, a crafted H.265 bitstream with large SPS dimensions and 16-bit bit depth causes a signed integer overflow in `de265_image_get_buffer()` (`libde265/image.cc:128`). The overflow wraps the plane allocation size to a small value (~1 KB), but the subsequent `fill_image()` call computes the real size using `size_t`, writing ~4 GB into the undersized heap buffer. Version 1.1.0 patches the issue.

Created: 2025-08-09 Last update: 2026-06-20 11:01

8 security issues in bookworm high

There are 8 open security issues in bookworm.

5 important issues:

CVE-2026-33164: libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.17, a malformed H.265 PPS NAL unit causes a segmentation fault in pic_parameter_set::set_derived_values(). This issue has been patched in version 1.0.17.
CVE-2026-33165: libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.17, a crafted HEVC bitstream causes an out-of-bounds heap write confirmed by AddressSanitizer. The trigger is a stale ctb_info.log2unitSize after an SPS change where PicWidthInCtbsY and PicHeightInCtbsY stay constant but Log2CtbSizeY changes, causing set_SliceHeaderIndex to index past the allocated image metadata array and write 2 bytes past the end of a heap allocation. This issue has been patched in version 1.0.17.
CVE-2026-49295: libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.20, a crafted H.265 bitstream can cause an out-of-bounds array write in `decoder_context::process_reference_picture_set()` (`libde265/decctx.cc:1376`). The root cause is a missing aggregate bound check on predicted short-term reference picture set entries. Individual list sizes are validated, but the combined count after predicted RPS construction can exceed the 16-entry `PocStFoll` array, writing at index 16. Version 1.0.20 patches the issue.
CVE-2026-49337: libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.20, a crafted sequence of H.265 NAL units causes `decoder_context::read_slice_NAL()` (`libde265/decctx.cc:481`) to attach slice headers to a finished picture object that has no active image unit, resulting in attacker-controlled unbounded heap growth. The retained headers are never freed until the picture is released, which may not happen during continuous streaming. Version 1.0.20 patches the issue.
CVE-2026-49346: libde265 is an open source implementation of the h.265 video codec. Prior to version 1.1.0, a crafted H.265 bitstream with large SPS dimensions and 16-bit bit depth causes a signed integer overflow in `de265_image_get_buffer()` (`libde265/image.cc:128`). The overflow wraps the plane allocation size to a small value (~1 KB), but the subsequent `fill_image()` call computes the real size using `size_t`, writing ~4 GB into the undersized heap buffer. Version 1.1.0 patches the issue.

3 issues left for the package maintainer to handle:

CVE-2023-51792: (needs triaging) Buffer Overflow vulnerability in libde265 v1.0.12 allows a local attacker to cause a denial of service via the allocation size exceeding the maximum supported size of 0x10000000000.
CVE-2024-38949: (postponed; to be fixed through a stable update) Heap Buffer Overflow vulnerability in Libde265 v1.0.15 allows attackers to crash the application via crafted payload to display444as420 function at sdl.cc
CVE-2024-38950: (postponed; to be fixed through a stable update) Heap Buffer Overflow vulnerability in Libde265 v1.0.15 allows attackers to crash the application via crafted payload to __interceptor_memcpy function.

You can find information about how to handle these issues in the security team's documentation.

Created: 2024-04-23 Last update: 2026-06-20 11:01

5 security issues in bullseye high

There are 5 open security issues in bullseye.

3 important issues:

CVE-2026-49295: libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.20, a crafted H.265 bitstream can cause an out-of-bounds array write in `decoder_context::process_reference_picture_set()` (`libde265/decctx.cc:1376`). The root cause is a missing aggregate bound check on predicted short-term reference picture set entries. Individual list sizes are validated, but the combined count after predicted RPS construction can exceed the 16-entry `PocStFoll` array, writing at index 16. Version 1.0.20 patches the issue.
CVE-2026-49337: libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.20, a crafted sequence of H.265 NAL units causes `decoder_context::read_slice_NAL()` (`libde265/decctx.cc:481`) to attach slice headers to a finished picture object that has no active image unit, resulting in attacker-controlled unbounded heap growth. The retained headers are never freed until the picture is released, which may not happen during continuous streaming. Version 1.0.20 patches the issue.
CVE-2026-49346: libde265 is an open source implementation of the h.265 video codec. Prior to version 1.1.0, a crafted H.265 bitstream with large SPS dimensions and 16-bit bit depth causes a signed integer overflow in `de265_image_get_buffer()` (`libde265/image.cc:128`). The overflow wraps the plane allocation size to a small value (~1 KB), but the subsequent `fill_image()` call computes the real size using `size_t`, writing ~4 GB into the undersized heap buffer. Version 1.1.0 patches the issue.

2 issues postponed or untriaged:

CVE-2024-38949: (needs triaging) Heap Buffer Overflow vulnerability in Libde265 v1.0.15 allows attackers to crash the application via crafted payload to display444as420 function at sdl.cc
CVE-2024-38950: (needs triaging) Heap Buffer Overflow vulnerability in Libde265 v1.0.15 allows attackers to crash the application via crafted payload to __interceptor_memcpy function.

Created: 2026-06-20 Last update: 2026-06-20 11:01

lintian reports 2 errors and 3 warnings high

Lintian reports 2 errors and 3 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2026-04-03 Last update: 2026-04-03 12:00

3 security issues in buster high

There are 3 open security issues in buster.

2 important issues:

CVE-2024-38949: Heap Buffer Overflow vulnerability in Libde265 v1.0.15 allows attackers to crash the application via crafted payload to display444as420 function at sdl.cc
CVE-2024-38950: Heap Buffer Overflow vulnerability in Libde265 v1.0.15 allows attackers to crash the application via crafted payload to __interceptor_memcpy function.

1 issue postponed or untriaged:

CVE-2023-51792: (postponed; to be fixed through a stable update) Buffer Overflow vulnerability in libde265 v1.0.12 allows a local attacker to cause a denial of service via the allocation size exceeding the maximum supported size of 0x10000000000.

Created: 2024-06-27 Last update: 2024-06-28 15:00

1 open merge request in Salsa normal

There is 1 open merge request for this package on Salsa. You should consider reviewing and/or merging these merge requests.

Created: 2025-09-22 Last update: 2025-09-22 20:33

debian/patches: 3 patches to forward upstream low

Among the 4 debian patches available in version 1.0.18-1 of the package, we noticed the following issues:

3 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2026-04-03 11:32

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.4 instead of 4.7.3).

Created: 2025-12-23 Last update: 2026-04-03 06:00

news

[rss feed]

[2026-04-26] Accepted libde265 1.0.11-0+deb11u4 (source) into oldoldstable-security (Andreas Henriksson)
[2026-04-05] libde265 1.0.18-1 MIGRATED to testing (Debian testing watch)
[2026-04-02] Accepted libde265 1.0.18-1 (source) into unstable (Joachim Bauch)
[2025-08-17] libde265 1.0.16-1 MIGRATED to testing (Debian testing watch)
[2025-05-13] Accepted libde265 1.0.16-1 (source) into unstable (Joachim Bauch)
[2024-02-02] Accepted libde265 1.0.11-0+deb11u3 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Thorsten Alteholz)
[2024-02-02] Accepted libde265 1.0.11-1+deb12u2 (source) into proposed-updates (Debian FTP Masters) (signed by: Thorsten Alteholz)
[2023-12-30] Accepted libde265 1.0.11-0+deb11u2 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Thorsten Alteholz)
[2023-12-30] Accepted libde265 1.0.11-0+deb10u6 (source) into oldoldstable (Thorsten Alteholz)
[2023-12-29] libde265 1.0.15-1 MIGRATED to testing (Debian testing watch)
[2023-12-27] Accepted libde265 1.0.15-1 (source) into unstable (Joachim Bauch) (signed by: Aron Xu)
[2023-12-03] Accepted libde265 1.0.11-1+deb12u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Thorsten Alteholz)
[2023-11-30] Accepted libde265 1.0.11-0+deb10u5 (source) into oldoldstable (Anton Gladky)
[2023-11-24] libde265 1.0.13-1 MIGRATED to testing (Debian testing watch)
[2023-11-21] Accepted libde265 1.0.13-1 (source) into unstable (Joachim Bauch) (signed by: Thorsten Alteholz)
[2023-09-21] libde265 1.0.12-2 MIGRATED to testing (Debian testing watch)
[2023-09-19] Accepted libde265 1.0.12-2 (source) into unstable (Bastian Germann) (signed by: bage@debian.org)
[2023-06-25] libde265 1.0.12-1 MIGRATED to testing (Debian testing watch)
[2023-06-25] libde265 1.0.12-1 MIGRATED to testing (Debian testing watch)
[2023-06-25] libde265 1.0.12-1 MIGRATED to testing (Debian testing watch)
[2023-06-20] Accepted libde265 1.0.12-1 (source) into unstable (Joachim Bauch) (signed by: Tobias Frost)
[2023-03-04] Accepted libde265 1.0.11-0+deb10u4 (source) into oldstable (Tobias Frost)
[2023-02-12] Accepted libde265 1.0.11-0+deb11u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Tobias Frost)
[2023-02-10] Accepted libde265 1.0.11-0+deb11u1 (source) into stable-security (Debian FTP Masters) (signed by: Tobias Frost)
[2023-02-08] libde265 1.0.11-1 MIGRATED to testing (Debian testing watch)
[2023-02-02] Accepted libde265 1.0.11-1 (source) into unstable (Joachim Bauch) (signed by: Tobias Frost)
[2023-01-27] libde265 1.0.9-1.1 MIGRATED to testing (Debian testing watch)
[2023-01-27] libde265 1.0.9-1.1 MIGRATED to testing (Debian testing watch)
[2023-01-24] Accepted libde265 1.0.3-1+deb10u3 (source) into oldstable (Tobias Frost)
[2023-01-24] Accepted libde265 1.0.3-1+deb10u2 (source amd64) into oldstable (Tobias Frost)

bugs [bug history graph]

all: 3
RC: 0
I&N: 2
M&W: 1
F&P: 0
patch: 0

links

homepage
lintian (2, 3)
buildd: logs, reproducibility, cross
popcon
browse source code
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1.0.18-1