Amazon Linux 2023 Security Advisory: ALAS2023-2026-1585
Advisory Released Date: 2026-04-13
Advisory Updated Date: 2026-04-13
libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.17, a malformed H.265 PPS NAL unit causes a segmentation fault in pic_parameter_set::set_derived_values(). This issue has been patched in version 1.0.17. (CVE-2026-33164)
libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.17, a crafted HEVC bitstream causes an out-of-bounds heap write confirmed by AddressSanitizer. The trigger is a stale ctb_info.log2unitSize after an SPS change where PicWidthInCtbsY and PicHeightInCtbsY stay constant but Log2CtbSizeY changes, causing set_SliceHeaderIndex to index past the allocated image metadata array and write 2 bytes past the end of a heap allocation. This issue has been patched in version 1.0.17. (CVE-2026-33165)
Affected Packages:
libde265
Issue Correction:
Run dnf update libde265 --releasever 2023.11.20260413 or dnf update --advisory ALAS2023-2026-1585 --releasever 2023.11.20260413 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation
aarch64:
libde265-debuginfo-1.0.18-1.amzn2023.0.1.aarch64
libde265-devel-1.0.18-1.amzn2023.0.1.aarch64
libde265-1.0.18-1.amzn2023.0.1.aarch64
libde265-debugsource-1.0.18-1.amzn2023.0.1.aarch64
src:
libde265-1.0.18-1.amzn2023.0.1.src
x86_64:
libde265-debuginfo-1.0.18-1.amzn2023.0.1.x86_64
libde265-devel-1.0.18-1.amzn2023.0.1.x86_64
libde265-1.0.18-1.amzn2023.0.1.x86_64
libde265-debugsource-1.0.18-1.amzn2023.0.1.x86_64