CVE-2026-32814
Heap Memory Leak in libheif HEIF/AVIF Decoder
Publication date: 2026-05-19
Last updated on: 2026-05-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| libheif | libheif | to 1.22.0 (exc) |
| libheif | libheif | 1.22.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
| CWE-908 | The product uses or accesses a resource that has not been initialized. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability in libheif can lead to the leakage of uninitialized heap memory data when decoding crafted HEIF or AVIF images. In server-side image processing scenarios, such as generating thumbnails or processing images for content delivery networks or social media, this can result in the unintended exposure of sensitive information including authentication tokens, database results, and other users' image data.
Such leakage of sensitive or personal data could potentially violate data protection regulations and standards like GDPR or HIPAA, which require the safeguarding of personal and sensitive information against unauthorized disclosure.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs when decoding corrupted HEIF grid images with libheif versions 1.21.2 and earlier, where uninitialized heap memory is leaked silently. Detection involves identifying if your system uses a vulnerable libheif version and if it processes HEIF/AVIF images with default settings (strict_decoding=false).
To detect exploitation attempts or presence of the vulnerability, you can check the libheif version installed on your system:
- Run `heif-dec --version` or check the package manager for the installed libheif version.
To detect suspicious or crafted HEIF/AVIF files that might trigger the vulnerability, you can analyze image files for grid images and attempt decoding with strict decoding enabled to observe failures.
- Use the command-line tool `heif-dec` with strict decoding enabled (if supported) to decode images and check for errors.
Since the vulnerability leaks uninitialized heap memory silently without error, network detection is difficult. Monitoring for unusual image processing behavior or unexpected data in decoded images may help.
Upgrading libheif to version 1.22.0 or later is the recommended mitigation.
Can you explain this vulnerability to me?
This vulnerability exists in libheif, a library used to decode and encode HEIF and AVIF image formats. In versions 1.21.2 and earlier, when decoding a HEIF grid image with the default setting strict_decoding=false, if a tile in the image is corrupted, the decoding silently fails without reporting an error. Instead, the library returns a success code (heif_error_Ok) but the affected tile's region in the output image contains uninitialized heap memory data.
Specifically, the memory allocated for the image planes (Y, Cb, Cr) is not zeroed out, so leftover data from previous heap allocations remains. This uninitialized memory is then included as pixel values in the decoded image, leaking potentially sensitive information from the heap.
Any application using libheif to decode grid-based HEIF or AVIF files with default settings is vulnerable to this issue. An attacker can craft a malicious .heic or .avif file that causes the decoded image to contain leaked heap memory data without any indication of failure.
How can this vulnerability impact me? :
This vulnerability can lead to the unintended disclosure of sensitive information stored in heap memory. When a crafted HEIF or AVIF image is decoded, uninitialized heap dataβpotentially including authentication tokens, database query results, or other users' image dataβcan be leaked as part of the decoded image pixels.
In scenarios such as server-side image processing, where uploaded images are decoded and then re-encoded (for example, generating thumbnails or serving images via a CDN or social media platform), this vulnerability can cause cross-user data leakage.
Because the library returns a success code despite the decoding failure, applications may unknowingly distribute images containing sensitive heap data, leading to confidentiality breaches.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade libheif to version 1.22.0 or later, where the issue has been fixed.