SB2026042755 - Multiple vulnerabilities in libheif

Description

This security bulletin contains information about 2 vulnerabilities.

1) Integer overflow (CVE-ID: N/A)

CWE-ID: CWE-190 - Integer overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote attacker to overwrite image data.

The vulnerability exists due to integer overflow in readTiledSeparate() in heifio/decoder_tiff.cc when decoding crafted tiled TIFF images. A remote attacker can trick the victim into processing a specially crafted TIFF image to overwrite image data.

User interaction is required to process the crafted image.

2) NULL pointer dereference (CVE-ID: N/A)

CWE-ID: CWE-476 - NULL Pointer Dereference

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to a null pointer dereference in HeifFile::get_item_data() when parsing a crafted HEIF file with a non-pict handler type and enumerating item data. A remote attacker can supply a specially crafted HEIF file to cause a denial of service.

The issue is triggered after parsing succeeds despite the malformed hdlr box leaving the mandatory m_iloc_box pointer uninitialized, and an application subsequently calls heif_item_get_item_data().

Remediation

Install update from vendor's website.

References

• https://github.com/strukturag/libheif/security/advisories/GHSA-wjj2-gjqj-5gr4
• https://github.com/strukturag/libheif/security/advisories/GHSA-h27h-4hc4-5vf5
• https://github.com/advisories/GHSA-h27h-4hc4-5vf5