CVE-2026-32882
Deferred Deferred - Pending Action
Heap Buffer Over-read in libheif Image Compositing

Publication date: 2026-05-19

Last updated on: 2026-05-20

Assigner: GitHub, Inc.

Description
libheif is a HEIF and AVIF file format decoder and encoder. Versions 1.21.2 and prior contain a heap buffer over-read in HeifPixelImage::overlay() in libheif/pixelimage.cc. When compositing an overlay image (iovl) whose child image has a different bit depth for the alpha channel than for the color channels, the function indexes into the alpha plane using the color channel stride (in_stride) instead of the previously retrieved alpha_stride, causing reads past the end of the alpha buffer (up to 3,123 bytes for a 100Γ—50 image with 10-bit color and 8-bit alpha). A crafted HEIF file can exploit this to cause a denial of service (crash) or potentially disclose adjacent heap memory through leaked bytes embedded in the decoded output pixels. This issue has been fixed in versionThis issue has been fixed in version 1.22.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-19
Last Modified
2026-05-20
Generated
2026-06-10
AI Q&A
2026-05-20
EPSS Evaluated
2026-06-08
NVD
CVE-2026-32882
EUVD
EUVD-2026-30981
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
structural_heif libheif to 1.22.0 (exc)
structural_heif libheif 1.22.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

Exploitation of this vulnerability can lead to a denial of service, causing the application using libheif to crash when processing a maliciously crafted HEIF file.

Additionally, it may allow an attacker to disclose adjacent heap memory contents. This means sensitive information stored in memory near the alpha buffer could be leaked through the decoded image output.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade libheif to version 1.22.0 or later, where the issue has been fixed.

Executive Summary

This vulnerability exists in libheif versions 1.21.2 and earlier, which is a library used to decode and encode HEIF and AVIF image formats. The issue is a heap buffer over-read in the function HeifPixelImage::overlay(). When an overlay image's child has a different bit depth for the alpha channel compared to the color channels, the function incorrectly uses the color channel stride to index into the alpha channel buffer. This causes the function to read beyond the allocated alpha buffer, potentially reading up to 3,123 bytes past the end for certain image sizes and bit depths.

A specially crafted HEIF file can exploit this flaw to cause a denial of service by crashing the application or potentially disclose adjacent heap memory by leaking bytes embedded in the decoded output pixels.

This vulnerability has been fixed in libheif version 1.22.0.

Compliance Impact

The vulnerability in libheif allows for potential disclosure of adjacent heap memory through leaked bytes embedded in decoded output pixels. This could lead to unauthorized exposure of sensitive data processed by the affected software.

Such unauthorized data disclosure may impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access or leaks.

However, the CVE description does not explicitly mention compliance impacts or regulatory considerations.

Detection Guidance

This vulnerability involves a heap buffer over-read in libheif versions 1.21.2 and prior when processing crafted HEIF files. Detection typically involves identifying vulnerable versions of libheif installed on your system or monitoring for crashes or abnormal behavior when decoding HEIF images.

To detect if your system is vulnerable, you can check the installed libheif version using commands like:

  • dpkg -l | grep libheif # On Debian/Ubuntu systems
  • rpm -qa | grep libheif # On RedHat/CentOS systems

If you find a version 1.21.2 or earlier, your system is vulnerable.

Additionally, you can attempt to detect exploitation attempts by monitoring for crashes or unusual behavior in applications using libheif when processing HEIF files, or by scanning incoming HEIF files for suspicious crafted content.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32882. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart