Description
libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and below, a crafted 792-byte HEIF sequence file with samples_per_chunk=0 in the stsc box causes an unsigned integer underflow in the Chunk constructor (m_last_sample = 0 + 0 - 1 = UINT32_MAX), mapping all samples to an empty chunk and resulting in a denial of service. When any sample is accessed, the library reads from index 0 of an empty std::vector, causing a guaranteed SEGV (null-page read). The file parses successfully without producing an error; the crash occurs on the first frame access. This issue has been fixed in version 1.22.0.
Published: 2026-05-19
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a heap out‑of‑bounds read in libheif triggered by an unsigned integer underflow when parsing the stsc box of a HEIF file whose samples_per_chunk value is zero. The underflow causes all samples to be mapped to an empty chunk, and subsequent sample access reads from index zero of an empty std::vector, leading to a segmentation fault. The HEIF file is parsed without error, but the crash occurs when the first frame is accessed, resulting in a denial‑of‑service.

Affected Systems

The affected product is libheif, developed by strukturag. Versions 1.21.2 and earlier are vulnerable; the issue was fixed in version 1.22.0.

Risk and Exploitability

The CVSS score of 6.5 reflects a moderate severity vulnerability. EPSS data is unavailable and the vulnerability is not listed in the CISA KEV catalog, indicating no widespread exploitation has been observed yet. The likely attack vector is a crafted HEIF file supplied to any software that uses libheif for decoding. If such software does not validate or sandbox image handling, the malicious file can trigger a crash and deny service to the process or application. The risk level is moderate to high for systems that process untrusted image data.

Generated by OpenCVE AI on May 20, 2026 at 01:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade libheif to version 1.22.0 or later.
  • Implement validation to reject HEIF files that contain an stsc box with samples_per_chunk set to zero before passing them to libheif.
  • Configure applications that use libheif to run the decoder in a restricted environment or sandbox to limit the impact of a crash.

Generated by OpenCVE AI on May 20, 2026 at 01:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 14:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:struktur:libheif:*:*:*:*:*:*:*:*

Wed, 20 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Struktur
Struktur libheif
Vendors & Products Struktur
Struktur libheif

Wed, 20 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-191
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 19 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 19 May 2026 19:15:00 +0000

Type Values Removed Values Added
Description libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and below, a crafted 792-byte HEIF sequence file with samples_per_chunk=0 in the stsc box causes an unsigned integer underflow in the Chunk constructor (m_last_sample = 0 + 0 - 1 = UINT32_MAX), mapping all samples to an empty chunk and resulting in a denial of service. When any sample is accessed, the library reads from index 0 of an empty std::vector, causing a guaranteed SEGV (null-page read). The file parses successfully without producing an error; the crash occurs on the first frame access. This issue has been fixed in version 1.22.0.
Title libheif has a Heap OOB Read/SEGV Crash via Zero samples_per_chunk
Weaknesses CWE-125
CWE-476
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Struktur Libheif
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-19T19:38:59.260Z

Reserved: 2026-03-13T15:02:00.628Z

Link: CVE-2026-32738

cve-icon Vulnrichment

Updated: 2026-05-19T19:33:35.814Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-19T19:16:48.823

Modified: 2026-05-20T14:17:41.080

Link: CVE-2026-32738

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-19T19:03:48Z

Links: CVE-2026-32738 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T10:15:15Z

Weaknesses