SB2026052069 - Multiple vulnerabilities in libheif
Published: May 20, 2026 Updated: May 20, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 22 vulnerabilities.
1) NULL pointer dereference (CVE-ID: CVE-2026-47709)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a null pointer dereference in heif_image_handle_get_image_tiling() when processing a malformed uncompressed HEIF image item missing the ispe property. A remote attacker can supply a specially crafted HEIF file to cause a denial of service.
The issue is reachable through the public C API and may trigger an assertion in debug builds.
2) Use of uninitialized resource (CVE-ID: CVE-2026-47247)
CWE-ID: CWE-908 - Use of Uninitialized Resource
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to use of uninitialized resource and incorrect calculation in libheif grid image decoding when parsing a crafted AVIF or HEIC grid image. A remote attacker can upload a specially crafted image for decoding and obtain heap memory contents from visible pixels in the decoded output to disclose sensitive information.
The leaked data may include heap contents such as library function pointers that can be used to defeat ASLR, and the issue is exposed when decoded output is made available to the attacker.
3) Integer overflow (CVE-ID: N/A)
CWE-ID: CWE-190 - Integer overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause incorrect association of auxiliary metadata with decoded samples.
The vulnerability exists due to integer overflow in SampleAuxInfoReader::get_sample_info() in libheif/sequences/track.cc when processing a crafted HEIF sequence file with a large number of samples. A remote attacker can supply a specially crafted sequence file to cause incorrect association of auxiliary metadata with decoded samples.
The resulting wrapped offset causes auxiliary data to be read from an unintended file position, and user interaction is required to open or process the crafted file.
4) Out-of-bounds write (CVE-ID: CVE-2026-47178)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to out-of-bounds write in unc_decoder_component_interleave::decode_tile() when parsing a crafted HEIF file using the uncompressed unci codec with tiled, component-interleaved 4:2:0 content. A remote attacker can supply a specially crafted HEIF file to execute arbitrary code.
Only instances built with WITH_UNCOMPRESSED_CODEC=ON are vulnerable.
5) Out-of-bounds read (CVE-ID: CVE-2026-47251)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service and disclose sensitive information.
The vulnerability exists due to out-of-bounds read in vvdec_push_data2 in libheif's VVC decoder plugin when parsing a crafted HEIF file with a VVC track. A remote attacker can supply a specially crafted HEIF file to cause a denial of service and disclose sensitive information.
User interaction is required to open or decode the crafted file. Only builds with VVC support enabled are vulnerable.
6) Out-of-bounds read (CVE-ID: CVE-2026-47254)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service or disclose sensitive information.
The vulnerability exists due to out-of-bounds read in Track::get_next_sample_raw_data() when parsing a crafted HEIC sequence file and retrieving raw sequence samples. A remote attacker can supply a specially crafted file to cause a denial of service or disclose sensitive information.
The issue is triggered when the number of chunks defined in the stco box is less than the number of samples in stsz, causing an invalid chunk index to be stored in the presentation timeline.
7) Incorrect calculation (CVE-ID: N/A)
CWE-ID: CWE-682 - Incorrect Calculation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass container-boundary checks.
The vulnerability exists due to incorrect calculation in BitstreamRange::BitstreamRange(istr, start, end) in libheif/bitstream.cc when parsing crafted HEIF or AVIF files with a non-zero container start offset. A remote attacker can supply a specially crafted file to bypass container-boundary checks.
The demonstrated impact is limited to incorrect parsing behavior, with no crash, memory corruption, data exfiltration, or availability impact shown on the standard in-memory parse path.
8) Out-of-bounds read (CVE-ID: CVE-2026-41069)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to out-of-bounds read in SampleAuxInfoReader::SampleAuxInfoReader in libheif/sequences/track.cc when parsing a malformed HEIF sequence file through heif_context_read_from_file. A remote attacker can supply a specially crafted file to cause a denial of service.
User interaction is required to open or process a crafted HEIF file.
9) Reachable assertion (CVE-ID: N/A)
CWE-ID: CWE-617 - Reachable Assertion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to reachable assertion in read32 in the EXIF parsing path when processing a crafted JPEG file containing a short EXIF TIFF payload. A remote attacker can send a specially crafted JPEG file to cause a denial of service.
User interaction is required to process the crafted JPEG file.
10) Out-of-bounds read (CVE-ID: N/A)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to out-of-bounds read in find_exif_tag / read32 in the EXIF parsing path when processing a crafted JPEG file containing a short EXIF TIFF payload. A remote attacker can send a specially crafted JPEG file to disclose sensitive information.
The out-of-bounds read occurs in release-like builds with assertions disabled.
11) Heap-based buffer overflow (CVE-ID: N/A)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service or potentially execute arbitrary code.
The vulnerability exists due to heap-based buffer overflow in image plane allocation in libheif/pixelimage.cc when processing crafted image data or using the public heif_image_add_plane API. A remote attacker can trigger a uint32_t stride calculation overflow that leads to an undersized heap allocation and subsequent out-of-bounds write to cause a denial of service or potentially execute arbitrary code.
The security limit check validates pixel count rather than stride, and the heif_image_add_plane code path bypasses limits entirely.
12) Integer overflow (CVE-ID: N/A)
CWE-ID: CWE-190 - Integer overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to integer overflow in compute_tile_data_size_bytes in libheif/codecs/uncompressed/unc_encoder_rgb_bytealign_pixel_interleave.cc when processing crafted image data. A remote attacker can supply values that trigger 32-bit multiplication wraparound in tile size calculations to cause a denial of service.
The wrapped result is used for tile data offset calculation in unc_image.cc.
13) Heap-based buffer overflow (CVE-ID: N/A)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service or potentially execute arbitrary code.
The vulnerability exists due to heap-based buffer overflow in heif_region_item_add_region_inline_mask in libheif/api/libheif/heif_regions.cc when processing crafted region mask dimensions. A remote attacker can trigger a 32-bit multiplication overflow in width and height calculations to create an undersized buffer and then overflow it with a subsequent memset to cause a denial of service or potentially execute arbitrary code.
14) Out-of-bounds read (CVE-ID: CVE-2026-41071)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information or cause a denial of service.
The vulnerability exists due to out-of-bounds read in SampleAuxInfoReader::SampleAuxInfoReader() in libheif/sequences/track.cc when parsing a crafted HEIF sequence file with a mismatched saiz sample count. A remote attacker can supply a specially crafted HEIF file to disclose sensitive information or cause a denial of service.
The issue is triggered during file parsing via heif_context_read_from_file without additional user interaction, and in debug builds an assertion may fire instead of the out-of-bounds access.
15) Integer overflow (CVE-ID: CVE-2026-47714)
CWE-ID: CWE-190 - Integer overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service and disclose sensitive information.
The vulnerability exists due to integer overflow or wraparound in the inline mask parsing code in libheif/region.cc when parsing a crafted HEIF file. A remote attacker can trick the victim into opening a crafted file to cause a denial of service and disclose sensitive information.
The issue is reachable when applications raise the max_image_size_pixels limit or disable it via LIBHEIF_SECURITY_LIMITS=off.
16) Out-of-bounds read (CVE-ID: CVE-2026-32882)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service or disclose sensitive information.
The vulnerability exists due to out-of-bounds read in HeifPixelImage::overlay() when parsing a crafted HEIF file containing an overlay image whose child image uses a different alpha-channel bit depth than the color channels. A remote attacker can supply a specially crafted HEIF file to cause a denial of service or disclose sensitive information.
User interaction is required to open or otherwise process the crafted file.
17) Out-of-bounds read (CVE-ID: CVE-2026-32738)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to out-of-bounds read in Chunk::get_data_extent_for_sample() when parsing a crafted HEIF sequence file with samples_per_chunk set to 0 in the stsc box. A remote attacker can supply a specially crafted file to cause a denial of service.
User interaction is required to open the crafted file and access the first frame or sample.
18) Infinite loop (CVE-ID: CVE-2026-32739)
CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to loop with unreachable exit condition in Box_stts::get_sample_duration() when parsing a crafted HEIF sequence file during file open. A remote attacker can send a specially crafted file to cause a denial of service.
User interaction is required to open the crafted file.
19) Use of uninitialized resource (CVE-ID: CVE-2026-32814)
CWE-ID: CWE-908 - Use of Uninitialized Resource
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to use of uninitialized resource in ImageItem_Grid::decode_and_paste_tile_image() in libheif/image-items/grid.cc when decoding a crafted HEIF or AVIF grid image with strict_decoding=false. A remote attacker can supply a specially crafted file with a corrupted tile to disclose sensitive information.
User interaction is required to process the crafted file, and the issue occurs with the default decoding behavior where tile decode failures are returned as success.
20) Out-of-bounds write (CVE-ID: CVE-2026-32740)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to out-of-bounds write in HeifPixelImage::copy_image_to() when decoding a crafted grid-based HEIF or AVIF image. A remote attacker can supply a specially crafted file to execute arbitrary code.
User interaction is required to open or decode a crafted file. Exploitation requires grid images using YCbCr 4:2:0 chroma subsampling with odd-height tiles.
21) Heap-based buffer overflow (CVE-ID: CVE-2026-32741)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service and potentially execute arbitrary code.
The vulnerability exists due to heap-based buffer overflow in MaskImageCodec::decode_mask_image() in libheif/image-items/mask_image.cc when parsing a crafted HEIF file containing a mask image. A remote attacker can supply a specially crafted HEIF file with an oversized iloc extent to cause a denial of service and potentially execute arbitrary code.
User interaction is required to open or process the crafted HEIF file. Exploitation requires an mski item with mskC bits_per_pixel set to 8 and image properties that enter the single-memcpy branch where stride equals width.
22) Out-of-bounds read (CVE-ID: N/A)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service and disclose sensitive information.
The vulnerability exists due to out-of-bounds read in ImageItem_Grid::decode_grid_tile when parsing a crafted HEIF/HEIC file containing a grid-derived item with an irot rotation property. A remote attacker can send a specially crafted file to cause a denial of service and disclose sensitive information.
User interaction is required to open or decode the crafted file.
Remediation
Install update from vendor's website.
References
- https://github.com/strukturag/libheif/security/advisories/GHSA-4h72-vqgp-9376
- https://github.com/strukturag/libheif/security/advisories/GHSA-2vh6-whr3-cmq3
- https://github.com/strukturag/libheif/security/advisories/GHSA-95jx-g5vf-cpp8
- https://github.com/strukturag/libheif/security/advisories/GHSA-5x55-x5pf-9c6g
- https://github.com/strukturag/libheif/security/advisories/GHSA-p6q9-fhf2-vj9v
- https://github.com/strukturag/libheif/commit/78638f4fe417e49f2b129f42ae691a4954560bbd
- https://github.com/strukturag/libheif/security/advisories/GHSA-wqjg-4x9g-6cvg
- https://github.com/strukturag/libheif/security/advisories/GHSA-p4r6-6972-g26m
- https://github.com/strukturag/libheif/commit/47951b67cf34d9d88bea16c6e9e9850f27c143af
- https://github.com/strukturag/libheif/security/advisories/GHSA-p82x-fpmv-576r
- https://github.com/advisories/GHSA-p82x-fpmv-576r
- https://github.com/strukturag/libheif/security/advisories/GHSA-jh2w-m72q-q595
- https://github.com/strukturag/libheif/security/advisories/GHSA-9h96-c44j-jpq9
- https://github.com/strukturag/libheif/security/advisories/GHSA-xj92-xjff-h8w3
- https://github.com/strukturag/libheif/security/advisories/GHSA-h4wm-6wwf-qvhx
- https://github.com/strukturag/libheif/security/advisories/GHSA-hg7q-rjr2-8x46
- https://github.com/strukturag/libheif/blob/d6944d3/libheif/pixelimage.cc#L1835
- https://github.com/strukturag/libheif/security/advisories/GHSA-7f2h-cmpf-v9ww
- https://github.com/strukturag/libheif/security/advisories/GHSA-j9g7-q9hv-gq8c
- https://github.com/strukturag/libheif/security/advisories/GHSA-4m8r-34pg-rvwc
- https://github.com/strukturag/libheif/security/advisories/GHSA-frfr-f3vg-2g6j
- https://github.com/strukturag/libheif/security/advisories/GHSA-j3w5-7whq-p37q
- https://github.com/strukturag/libheif/security/advisories/GHSA-6x5f-qchq-cxqv