Main Vulnerability Database Vulnerabilities #VU131976

Use of uninitialized resource in libheif - CVE-2026-32814

Published: May 20, 2026

Vulnerability identifier: #VU131976

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-32814

CWE-ID: CWE-908

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: struktur AG

Affected software:
libheif

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to use of uninitialized resource in ImageItem_Grid::decode_and_paste_tile_image() in libheif/image-items/grid.cc when decoding a crafted HEIF or AVIF grid image with strict_decoding=false. A remote attacker can supply a specially crafted file with a corrupted tile to disclose sensitive information.

User interaction is required to process the crafted file, and the issue occurs with the default decoding behavior where tile decode failures are returned as success.

How to mitigate CVE-2026-32814

Install security update from vendor's website.

Sources

https://github.com/strukturag/libheif/security/advisories/GHSA-4m8r-34pg-rvwc

Use of uninitialized resource in libheif - CVE-2026-32814

Detailed vulnerability description

How to mitigate CVE-2026-32814

Sources

Please verify you're human