CVE-2021-36409 – CVE-2021-36409 is a vulnerability in libde265 v... (How to Fix)

Q: What is the severity of CVE-2021-36409?

CVE-2021-36409 has a CVSS score of 7.8 (HIGH). CVE-2021-36409 is a vulnerability in libde265 v1.0.8 where a failed assertion during video file decoding causes a denial of service. Attackers can crash applications using this library by providing a specially crafted video file. This affects any software that uses the vulnerable libde265 library for HEVC/H.265 video decoding.

📋 TL;DR

CVE-2021-36409 is a vulnerability in libde265 v1.0.8 where a failed assertion during video file decoding causes a denial of service. Attackers can crash applications using this library by providing a specially crafted video file. This affects any software that uses the vulnerable libde265 library for HEVC/H.265 video decoding.

💻 Affected Systems

Products:

libde265
Software using libde265 library for HEVC/H.265 decoding

Versions: libde265 v1.0.8 and possibly earlier versions

Operating Systems: Linux, Windows, macOS, Any OS running vulnerable libde265

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using libde265 for HEVC video decoding is vulnerable when processing malicious files.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete application crash leading to denial of service; potential for remote code execution if the assertion failure can be leveraged for memory corruption.

🟠

Likely Case

Application crash and denial of service when processing malicious video files.

🟢

If Mitigated

Minimal impact if patched version is used or vulnerable functionality is disabled.

🌐 Internet-Facing: MEDIUM - Applications processing user-uploaded video files could be targeted, but requires specific file format.

🏢 Internal Only: LOW - Requires local file access or internal file processing; less likely to be exploited internally.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires crafting a malicious HEVC video file; proof-of-concept exists in GitHub issue.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: libde265 v1.0.9 and later

Vendor Advisory: https://github.com/strukturag/libde265/issues/300

Restart Required: Yes

Instructions:

1. Update libde265 to version 1.0.9 or later. 2. For Debian/Ubuntu: apt update && apt upgrade libde265. 3. Rebuild/reinstall any applications using libde265. 4. Restart affected services.

🔧 Temporary Workarounds

Disable HEVC decoding

all

Disable HEVC/H.265 video processing in applications using libde265

Application-specific configuration required

Input validation

all

Implement strict file validation for video uploads/processing

Implement file signature validation before processing

🧯 If You Can't Patch

Implement network segmentation to isolate systems using vulnerable libde265
Deploy application allowlisting to prevent execution of untrusted video files

🔍 How to Verify

Check if Vulnerable:

Check libde265 version: dpkg -l | grep libde265 or rpm -qa | grep libde265

Check Version:

dpkg -l | grep libde265  # Debian/Ubuntu
rpm -qa | grep libde265  # RHEL/CentOS
brew list --versions libde265  # macOS

Verify Fix Applied:

Verify libde265 version is 1.0.9 or higher: libde265 --version

📡 Detection & Monitoring

Log Indicators:

Application crashes with assertion failure messages
Error logs containing 'scaling_list_pred_matrix_id_delta==1'
Segmentation faults in video processing applications

Network Indicators:

Unusual video file uploads to web applications
Multiple failed video processing attempts

SIEM Query:

source="application.logs" AND ("assertion failed" OR "scaling_list_pred_matrix_id_delta" OR "libde265 crash")

📊 Metadata

CVE ID: CVE-2021-36409

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-617

Published: January 10, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/strukturag/libde265/issues/300 Exploit,Issue Tracking
https://lists.debian.org/debian-lts-announce/2022/12/msg00027.html Issue Tracking,Mailing List
https://www.debian.org/security/2023/dsa-5346 Issue Tracking
https://github.com/strukturag/libde265/issues/300 Exploit,Issue Tracking
https://lists.debian.org/debian-lts-announce/2022/12/msg00027.html Issue Tracking,Mailing List
https://www.debian.org/security/2023/dsa-5346 Issue Tracking

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-36409, you might also want to check these: