{"url":"http://public2.vulnerablecode.io/api/packages/439278?format=json","purl":"pkg:apk/alpine/libde265@1.0.18-r0?arch=x86&distroversion=edge&reponame=main","type":"apk","namespace":"alpine","name":"libde265","version":"1.0.18-r0","qualifiers":{"arch":"x86","distroversion":"edge","reponame":"main"},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":null,"latest_non_vulnerable_version":null,"affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/75936?format=json","vulnerability_id":"VCID-8zp7-c9b2-mfh2","summary":"libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.17, a crafted HEVC bitstream causes an out-of-bounds heap write confirmed by AddressSanitizer. The trigger is a stale ctb_info.log2unitSize after an SPS change where PicWidthInCtbsY and PicHeightInCtbsY stay constant but Log2CtbSizeY changes, causing set_SliceHeaderIndex to index past the allocated image metadata array and write 2 bytes past the end of a heap allocation. This issue has been patched in version 1.0.17.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33165","reference_id":"","reference_type":"","scores":[{"value":"6e-05","scoring_system":"epss","scoring_elements":"0.00322","published_at":"2026-06-07T12:55:00Z"},{"value":"6e-05","scoring_system":"epss","scoring_elements":"0.0032","published_at":"2026-06-09T12:55:00Z"},{"value":"6e-05","scoring_system":"epss","scoring_elements":"0.00327","published_at":"2026-06-06T12:55:00Z"},{"value":"6e-05","scoring_system":"epss","scoring_elements":"0.00326","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33165"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33165","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33165"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131468","reference_id":"1131468","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131468"},{"reference_url":"https://github.com/strukturag/libde265/commit/c7891e412106130b83f8e8ea8b7f907e9449b658","reference_id":"c7891e412106130b83f8e8ea8b7f907e9449b658","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:45:05Z/"}],"url":"https://github.com/strukturag/libde265/commit/c7891e412106130b83f8e8ea8b7f907e9449b658"},{"reference_url":"https://github.com/strukturag/libde265/security/advisories/GHSA-653q-9f73-8hvg","reference_id":"GHSA-653q-9f73-8hvg","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:45:05Z/"}],"url":"https://github.com/strukturag/libde265/security/advisories/GHSA-653q-9f73-8hvg"},{"reference_url":"https://github.com/strukturag/libde265/releases/tag/v1.0.17","reference_id":"v1.0.17","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:45:05Z/"}],"url":"https://github.com/strukturag/libde265/releases/tag/v1.0.17"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/439278?format=json","purl":"pkg:apk/alpine/libde265@1.0.18-r0?arch=x86&distroversion=edge&reponame=main","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/libde265@1.0.18-r0%3Farch=x86&distroversion=edge&reponame=main"}],"aliases":["CVE-2026-33165"],"risk_score":2.5,"exploitability":"0.5","weighted_severity":"5.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8zp7-c9b2-mfh2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/75935?format=json","vulnerability_id":"VCID-w3pa-gw6k-ckej","summary":"libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.17, a malformed H.265 PPS NAL unit causes a segmentation fault in pic_parameter_set::set_derived_values(). This issue has been patched in version 1.0.17.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33164","reference_id":"","reference_type":"","scores":[{"value":"0.00094","scoring_system":"epss","scoring_elements":"0.2623","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00094","scoring_system":"epss","scoring_elements":"0.26333","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00094","scoring_system":"epss","scoring_elements":"0.26325","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00094","scoring_system":"epss","scoring_elements":"0.2628","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00094","scoring_system":"epss","scoring_elements":"0.26224","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33164"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33164","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33164"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131469","reference_id":"1131469","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131469"},{"reference_url":"https://github.com/strukturag/libde265/security/advisories/GHSA-wqrf-6rf5-v78r","reference_id":"GHSA-wqrf-6rf5-v78r","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-23T16:50:40Z/"}],"url":"https://github.com/strukturag/libde265/security/advisories/GHSA-wqrf-6rf5-v78r"},{"reference_url":"https://github.com/strukturag/libde265/releases/tag/v1.0.17","reference_id":"v1.0.17","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-23T16:50:40Z/"}],"url":"https://github.com/strukturag/libde265/releases/tag/v1.0.17"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/439278?format=json","purl":"pkg:apk/alpine/libde265@1.0.18-r0?arch=x86&distroversion=edge&reponame=main","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/libde265@1.0.18-r0%3Farch=x86&distroversion=edge&reponame=main"}],"aliases":["CVE-2026-33164"],"risk_score":3.9,"exploitability":"0.5","weighted_severity":"7.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-w3pa-gw6k-ckej"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/libde265@1.0.18-r0%3Farch=x86&distroversion=edge&reponame=main"}