CVE-2026-49271
Analyzed Analyzed - Analysis Complete

Heap Out-of-Bounds Read in libheif HEIF Decoder

Vulnerability report for CVE-2026-49271, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-19

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description

libheif is a HEIF and AVIF file format decoder and encoder. Prior to version 1.22.1, the uncompressed HEIF decoder validates explicit icef compressed-unit offsets using unit_offset + unit_size. Because the addition can wrap, a crafted HEIF file can pass the range check and then construct a vector from iterators outside the compressed item buffer, producing an out-of-bounds heap read and crash. Version 1.22.1 patches the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-19
Last Modified
2026-06-26
Generated
2026-07-10
AI Q&A
2026-06-19
EPSS Evaluated
2026-07-08
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
struktur libheif to 1.22.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of the CVE-2026-49271 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

The CVE-2026-49271 vulnerability affects libheif versions 1.22.0 and earlier. It is caused by an out-of-bounds read in the uncompressed HEIF decoder due to improper validation of compressed-unit offsets. Specifically, the addition of unit_offset and unit_size can wrap around, allowing a crafted HEIF file to bypass range checks. This results in the decoder constructing iterators outside the compressed item buffer, leading to an out-of-bounds heap read and a crash during decoding.

The issue occurs when the compressed unit type is not 'image_tile'. The vulnerability is classified as CWE-125 (Out-of-bounds Read) and was fixed in version 1.22.1 by improving offset validation to prevent wrapping.

Impact Analysis

This vulnerability can cause a denial of service by crashing the process that is decoding a specially crafted HEIF file. Because the out-of-bounds read leads to a heap read error and crash, an attacker could exploit this to disrupt availability of applications or services using vulnerable versions of libheif.

Detection Guidance

This vulnerability is triggered by processing a crafted HEIF file that causes an out-of-bounds heap read and crash in the libheif decoder. Detection involves identifying attempts to decode suspicious or malformed HEIF files that exploit the wrapped range check in compressed-unit offsets.

You can detect potential exploitation by monitoring for crashes or abnormal terminations of applications using libheif version 1.22.0 or earlier when decoding HEIF files.

Suggested commands include:

  • Use system logs or application logs to identify crashes related to libheif decoding, e.g., checking journalctl or syslog for segmentation faults or abort signals.
  • Run file integrity or version checks to identify if vulnerable libheif versions are installed: `dpkg -l | grep libheif` (Debian/Ubuntu) or `rpm -qa | grep libheif` (RedHat/CentOS).
  • Use fuzzing or testing tools to feed HEIF files to libheif decoders and monitor for crashes, for example using `heif-convert` on suspicious files.
Mitigation Strategies

The immediate mitigation step is to upgrade libheif to version 1.22.1 or later, where the vulnerability has been patched by fixing the offset validation to prevent wrapping.

Until the upgrade can be applied, avoid processing untrusted or suspicious HEIF files, especially those received from unverified sources.

Additionally, monitor applications using libheif for crashes and consider applying runtime protections such as sandboxing or limiting privileges of processes that decode HEIF files.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49271. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart