CVE-2026-49271
Received Received - Intake
Heap Out-of-Bounds Read in libheif HEIF Decoder

Publication date: 2026-06-19

Last updated on: 2026-06-19

Assigner: GitHub, Inc.

Description
libheif is a HEIF and AVIF file format decoder and encoder. Prior to version 1.22.1, the uncompressed HEIF decoder validates explicit icef compressed-unit offsets using unit_offset + unit_size. Because the addition can wrap, a crafted HEIF file can pass the range check and then construct a vector from iterators outside the compressed item buffer, producing an out-of-bounds heap read and crash. Version 1.22.1 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-19
Last Modified
2026-06-19
Generated
2026-06-19
AI Q&A
2026-06-19
EPSS Evaluated
N/A
NVD
CVE-2026-49271
EUVD
EUVD-2026-38055
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
strukturag libheif to 1.22.1 (exc)
strukturag libheif 1.22.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The CVE-2026-49271 vulnerability affects libheif versions 1.22.0 and earlier. It is caused by an out-of-bounds read in the uncompressed HEIF decoder due to improper validation of compressed-unit offsets. Specifically, the addition of unit_offset and unit_size can wrap around, allowing a crafted HEIF file to bypass range checks. This results in the decoder constructing iterators outside the compressed item buffer, leading to an out-of-bounds heap read and a crash during decoding.

The issue occurs when the compressed unit type is not 'image_tile'. The vulnerability is classified as CWE-125 (Out-of-bounds Read) and was fixed in version 1.22.1 by improving offset validation to prevent wrapping.

Impact Analysis

This vulnerability can cause a denial of service by crashing the process that is decoding a specially crafted HEIF file. Because the out-of-bounds read leads to a heap read error and crash, an attacker could exploit this to disrupt availability of applications or services using vulnerable versions of libheif.

Detection Guidance

This vulnerability is triggered by processing a crafted HEIF file that causes an out-of-bounds heap read and crash in the libheif decoder. Detection involves identifying attempts to decode suspicious or malformed HEIF files that exploit the wrapped range check in compressed-unit offsets.

You can detect potential exploitation by monitoring for crashes or abnormal terminations of applications using libheif version 1.22.0 or earlier when decoding HEIF files.

Suggested commands include:

  • Use system logs or application logs to identify crashes related to libheif decoding, e.g., checking journalctl or syslog for segmentation faults or abort signals.
  • Run file integrity or version checks to identify if vulnerable libheif versions are installed: `dpkg -l | grep libheif` (Debian/Ubuntu) or `rpm -qa | grep libheif` (RedHat/CentOS).
  • Use fuzzing or testing tools to feed HEIF files to libheif decoders and monitor for crashes, for example using `heif-convert` on suspicious files.
Mitigation Strategies

The immediate mitigation step is to upgrade libheif to version 1.22.1 or later, where the vulnerability has been patched by fixing the offset validation to prevent wrapping.

Until the upgrade can be applied, avoid processing untrusted or suspicious HEIF files, especially those received from unverified sources.

Additionally, monitor applications using libheif for crashes and consider applying runtime protections such as sandboxing or limiting privileges of processes that decode HEIF files.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49271. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart