Main Vulnerability Database Vulnerabilities #VU135513

Out-of-bounds write in libheif - #VU135513

Published: June 26, 2026

Vulnerability identifier: #VU135513

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-787

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: struktur AG

Affected software:
libheif

Detailed vulnerability description

The vulnerability allows a local user to cause a denial of service or execute arbitrary code.

The vulnerability exists due to out-of-bounds write in unc_encoder_rgb_block_pixel_interleave::encode_tile when encoding an RGB image with heif_chroma_interleaved_RRGGBB_LE or heif_chroma_interleaved_RRGGBB_BE and interleaved bit-depth less than or equal to 8. A local user can supply crafted pixel data to trigger a linear heap out-of-bounds write and cause a denial of service or execute arbitrary code.

This issue is not reachable from a crafted input file alone and requires an application to construct an interleaved RRGGBB pixel image with bit-depth less than or equal to 8 from caller-controlled data before encoding with the uncompressed codec.

Remediation

Install security update from vendor's website.

Sources

https://github.com/strukturag/libheif/security/advisories/GHSA-46rp-pcq2-rpmr

Out-of-bounds write in libheif - #VU135513

Detailed vulnerability description

Remediation

Sources

Please verify you're human