SB2026062684 - Multiple vulnerabilities in libheif
Published: June 26, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 5 vulnerabilities.
1) Out-of-bounds write (CVE-ID: N/A)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service or execute arbitrary code.
The vulnerability exists due to out-of-bounds write in unc_encoder_rgb_block_pixel_interleave::encode_tile when encoding an RGB image with heif_chroma_interleaved_RRGGBB_LE or heif_chroma_interleaved_RRGGBB_BE and interleaved bit-depth less than or equal to 8. A local user can supply crafted pixel data to trigger a linear heap out-of-bounds write and cause a denial of service or execute arbitrary code.
This issue is not reachable from a crafted input file alone and requires an application to construct an interleaved RRGGBB pixel image with bit-depth less than or equal to 8 from caller-controlled data before encoding with the uncompressed codec.
2) Out-of-bounds read (CVE-ID: N/A)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information or cause a denial of service.
The vulnerability exists due to out-of-bounds read in the uncompressed RRGGBB encoder path when encoding an RGB image with heif_chroma_interleaved_RRGGBB_LE or heif_chroma_interleaved_RRGGBB_BE and interleaved bit-depth less than or equal to 8. A local user can supply a crafted source plane that is read as 16-bit samples despite containing less than or equal to 8-bit interleaved data to disclose sensitive information or cause a denial of service.
This issue occurs in the same encoding path as the write overflow and requires an application to provide a self-inconsistent interleaved RRGGBB image configuration to the uncompressed codec.
3) Integer underflow (CVE-ID: N/A)
CWE-ID: CWE-191 - Integer underflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to integer underflow in the Fraction constructor when processing a crafted HEIF/AVIF file through the tiling API with process_image_transformations=1. A remote attacker can supply a specially crafted file to cause a denial of service.
User interaction is required to open the crafted file, or the issue can be triggered server-side when uploaded content is processed automatically.
4) Out-of-bounds read (CVE-ID: N/A)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to out-of-bounds read in unc_decoder::get_compressed_image_data_uncompressed() when decoding an advertised image tile from a crafted HEIF uncompressed image through heif_image_handle_decode_image_tile(). A remote attacker can supply a specially crafted HEIF file and trigger tile decoding to cause a denial of service.
The issue is not triggered by merely opening the file; the vulnerable path is reached when an application enumerates tiling metadata and decodes an advertised tile.
5) Out-of-bounds write (CVE-ID: N/A)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause memory corruption.
The vulnerability exists due to out-of-bounds write in unc_encoder_component_interleave::encode_tile when re-encoding a decoded image with mismatched primary and auxiliary alpha plane dimensions. A remote attacker can trick the victim into opening a specially crafted HEIF sequence file and re-encoding the decoded frame to cause memory corruption.
User interaction is required to open a crafted file, and exploitation occurs through a decode and re-encode workflow using the public APIs.
Remediation
Install update from vendor's website.
References
- https://github.com/strukturag/libheif/security/advisories/GHSA-46rp-pcq2-rpmr
- https://github.com/strukturag/libheif/security/advisories/GHSA-jc8f-p23p-5hjg
- https://github.com/strukturag/libheif/security/advisories/GHSA-73p7-m7gg-w2jv
- https://github.com/strukturag/libheif/commit/3021ff4efd897f9d66fd6287dad33e138de27dd4
- https://github.com/strukturag/libheif/security/advisories/GHSA-xpw3-9rhw-482x
- https://github.com/strukturag/libheif/blob/bd114ed6d592adc92a09882172ab71d1b4c6e1b1/libheif/codecs/uncompressed/unc_encoder_component_interleave.cc#L190-L217