Main Vulnerability Database Vulnerabilities #VU135514

Out-of-bounds read in libheif - #VU135514

Published: June 26, 2026

Vulnerability identifier: #VU135514

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-125

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: struktur AG

Affected software:
libheif

Detailed vulnerability description

The vulnerability allows a local user to disclose sensitive information or cause a denial of service.

The vulnerability exists due to out-of-bounds read in the uncompressed RRGGBB encoder path when encoding an RGB image with heif_chroma_interleaved_RRGGBB_LE or heif_chroma_interleaved_RRGGBB_BE and interleaved bit-depth less than or equal to 8. A local user can supply a crafted source plane that is read as 16-bit samples despite containing less than or equal to 8-bit interleaved data to disclose sensitive information or cause a denial of service.

This issue occurs in the same encoding path as the write overflow and requires an application to provide a self-inconsistent interleaved RRGGBB image configuration to the uncompressed codec.

Remediation

Install security update from vendor's website.

Sources

https://github.com/strukturag/libheif/security/advisories/GHSA-46rp-pcq2-rpmr

Out-of-bounds read in libheif - #VU135514

Detailed vulnerability description

Remediation

Sources

Please verify you're human