Use of uninitialized resource in libheif - CVE-2026-47247
Published: May 20, 2026
Vulnerability identifier: #VU131959
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-47247
CWE-ID: CWE-908
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: struktur AG
Affected software:
libheif
libheif
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to use of uninitialized resource and incorrect calculation in libheif grid image decoding when parsing a crafted AVIF or HEIC grid image. A remote attacker can upload a specially crafted image for decoding and obtain heap memory contents from visible pixels in the decoded output to disclose sensitive information.
The leaked data may include heap contents such as library function pointers that can be used to defeat ASLR, and the issue is exposed when decoded output is made available to the attacker.
How to mitigate CVE-2026-47247
Install security update from vendor's website.