CVE-2026-32882
Heap Buffer Over-read in libheif Image Compositing
Publication date: 2026-05-19
Last updated on: 2026-05-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| structural_heif | libheif | to 1.22.0 (exc) |
| structural_heif | libheif | 1.22.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to a denial of service, causing the application using libheif to crash when processing a maliciously crafted HEIF file.
Additionally, it may allow an attacker to disclose adjacent heap memory contents. This means sensitive information stored in memory near the alpha buffer could be leaked through the decoded image output.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade libheif to version 1.22.0 or later, where the issue has been fixed.
Can you explain this vulnerability to me?
This vulnerability exists in libheif versions 1.21.2 and earlier, which is a library used to decode and encode HEIF and AVIF image formats. The issue is a heap buffer over-read in the function HeifPixelImage::overlay(). When an overlay image's child has a different bit depth for the alpha channel compared to the color channels, the function incorrectly uses the color channel stride to index into the alpha channel buffer. This causes the function to read beyond the allocated alpha buffer, potentially reading up to 3,123 bytes past the end for certain image sizes and bit depths.
A specially crafted HEIF file can exploit this flaw to cause a denial of service by crashing the application or potentially disclose adjacent heap memory by leaking bytes embedded in the decoded output pixels.
This vulnerability has been fixed in libheif version 1.22.0.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in libheif allows for potential disclosure of adjacent heap memory through leaked bytes embedded in decoded output pixels. This could lead to unauthorized exposure of sensitive data processed by the affected software.
Such unauthorized data disclosure may impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access or leaks.
However, the CVE description does not explicitly mention compliance impacts or regulatory considerations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a heap buffer over-read in libheif versions 1.21.2 and prior when processing crafted HEIF files. Detection typically involves identifying vulnerable versions of libheif installed on your system or monitoring for crashes or abnormal behavior when decoding HEIF images.
To detect if your system is vulnerable, you can check the installed libheif version using commands like:
- dpkg -l | grep libheif # On Debian/Ubuntu systems
- rpm -qa | grep libheif # On RedHat/CentOS systems
If you find a version 1.21.2 or earlier, your system is vulnerable.
Additionally, you can attempt to detect exploitation attempts by monitoring for crashes or unusual behavior in applications using libheif when processing HEIF files, or by scanning incoming HEIF files for suspicious crafted content.