Executive Summary

CVE-2026-32739 is a denial-of-service vulnerability in libheif versions 1.21.2 and earlier caused by an infinite loop in the Box_stts::get_sample_duration() function.

The issue occurs when a crafted HEIF sequence file contains a stts box with a sample_count of 0 in the first entry, which prevents the loop variable from incrementing and causes the function to hang indefinitely.

This infinite loop consumes 100% CPU with no progress, no crash, and no error logging, making it invisible to crash-based monitoring.

The vulnerability is triggered during file parsing, before any user interaction or image decoding, and affects any application using libheif to open HEIF sequence files.

A similar bug exists in Box_ctts::get_sample_offset().

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause a denial-of-service (DoS) condition by making the affected process enter an infinite loop that consumes 100% CPU indefinitely.

Because the process does not crash or log errors, the issue can remain undetected by crash-based monitoring systems.

The infinite loop occurs during file parsing, so simply opening a crafted HEIF sequence file can trigger the DoS without further user interaction.

In server environments or applications that process HEIF files, this can lead to permanent resource exhaustion, potentially degrading service availability.

The attack requires no privileges and can be exploited remotely via network access.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability causes an infinite loop in the Box_stts::get_sample_duration() function when parsing a crafted HEIF sequence file, leading to 100% CPU usage indefinitely without crashing or logging errors.

Detection can be done by monitoring processes that use libheif for unusually high CPU consumption during file parsing, especially when opening HEIF sequence files.

Since the issue occurs during file parsing, you can use system monitoring commands to detect processes stuck at high CPU usage, for example:

• Use 'top' or 'htop' to identify processes consuming 100% CPU.
• Use 'ps aux --sort=-%cpu | head' to list top CPU-consuming processes.
• Use 'strace -p <pid>' on suspicious processes to observe if they are stuck in a loop during file parsing.

Additionally, scanning files for suspicious HEIF sequences with a crafted stts box (sample_count of 0 in the first entry) could help, but no specific command-line tool or signature is provided.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade libheif to version 1.22.0 or later, where this infinite loop denial-of-service vulnerability has been fixed.

Until the upgrade is applied, avoid opening untrusted or suspicious HEIF sequence files that could trigger the infinite loop.

Implement monitoring to detect processes consuming excessive CPU and consider terminating or restarting affected processes to restore availability.

If possible, restrict network access to services that use libheif to prevent remote exploitation.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability causes a denial-of-service (DoS) condition by consuming 100% CPU indefinitely during file parsing, which impacts system availability.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, a DoS vulnerability affecting availability could potentially impact compliance with regulations that require maintaining system availability and reliability.

However, there is no direct information provided about specific effects on data privacy, integrity, or regulatory compliance controls.

Useful 0 Not Useful 0