CVE-2026-45383

Public on 2026-07-02
Modified on 2026-07-02
Description
A heap buffer overflow (out-of-bounds READ) exists in decoder_context::decode_slice_unit_WPP() in libde265/decctx.cc. When decoding a WPP (Wavefront Parallel Processing) HEVC slice, ctbAddrRS is computed as ctbRow * ctbsWidth inside the entry-point loop. If the PPS/SPS headers are crafted so that this value exceeds pps.CtbAddrRStoTS.size(), the subsequent array access pps.CtbAddrRStoTS[ctbAddrRS] reads past the end of the allocated vector, triggering a heap-buffer-overflow confirmed by AddressSanitizer.
Severity
Medium severity
Medium
See what this means
CVSS v3 Base Score
6.5
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 2023 libde265 Pending Fix

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H