libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.20, a crafted H.265 bitstream can cause an out-of-bounds array write in decoder_context::process_reference_picture_set() (libde265/decctx.cc:1376). The root cause is a missing aggregate bound check on predicted short-term reference picture set entries. Individual list sizes are validated, but the combined count after predicted RPS construction can exceed the 16-entry PocStFoll array, writing at index 16. Version 1.0.20 patches the issue.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/49xxx/CVE-2026-49295.json",
"cna_assigner": "GitHub_M",
"cwe_ids": [
"CWE-787"
],
"unresolved_ranges": [
{
"source": "AFFECTED_FIELD",
"extracted_events": [
{
"fixed": "1.0.20"
}
]
}
]
}