Executive Summary

CVE-2025-62821 is a vulnerability in Microsoft HEIF Image Extensions version 1.2.22.0 that causes an out-of-bounds read. The issue arises because the function CHEIFItemInfoEntry_GetDataSize can return success while reporting a data size of 0, leading to the allocation of a 1-byte buffer. Later, the CopyPixels function calculates a copy size based on image stride and region of interest height but does not verify if the source buffer is large enough before performing a memory move operation (memmove). This results in reading beyond the allocated buffer, causing an access violation and denial of service (DoS) when processing crafted malicious HEIF images.

The vulnerability is triggered when opening or previewing a malicious HEIF file on systems with the Microsoft HEIF Image Extensions installed. The root cause is the lack of validation of the source buffer length against the computed copy size, which can be further worsened if the image width is mis-parsed, inflating the copy size.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause a denial of service (DoS) on affected systems. When a user opens or previews a specially crafted malicious HEIF image, the out-of-bounds read leads to an access violation crash in any Windows Imaging Component (WIC) consumer that relies on the Microsoft HEIF Image Extensions. This can disrupt normal operations, potentially causing applications or the system to become unstable or crash.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for crashes or access violations in applications that use the Microsoft HEIF Image Extensions (msheif_store.dll) when processing HEIF images. Specifically, opening or previewing malicious HEIF files that trigger out-of-bounds reads will cause denial of service (DoS) crashes.

To detect exploitation attempts, you can look for crash logs or application errors related to msheif_store.dll or Windows Imaging Component (WIC) consumers.

There is a proof-of-concept (PoC) file available that reproduces the issue, which can be used in a controlled environment to test if your system is vulnerable.

No specific network commands are provided, but on the system level, you can use Windows Event Viewer to check for application crashes related to msheif_store.dll.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include avoiding opening or previewing HEIF image files from untrusted or unknown sources, as the vulnerability is triggered by processing crafted HEIF images.

If possible, uninstall or disable the Microsoft HEIF Image Extensions (version 1.2.22.0) until a patch or update is available.

Monitor for updates from Microsoft addressing this vulnerability and apply patches promptly once released.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0