Description
libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and below, a crafted 800-byte HEIF sequence file causes an infinite loop in Box_stts::get_sample_duration(), consuming 100% CPU indefinitely with zero progress, leading to DoS. The loop has no iteration limit or timeout and is triggered during file open (parsing) - before any user interaction or image decoding. The process stays alive (no crash, no error logged), making it invisible to crash-based monitoring. This issue has been fixed in version 1.22.0.
Published: 2026-05-19
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An infinite loop in the Box_stts::get_sample_duration() function is triggered by a specially crafted 800‑byte HEIF file. The loop consumes 100 % CPU for an indefinite period and never terminates or generates an error, rendering the process invisible to crash‑based monitoring tools. The vulnerability is a classic CWE‑835 Infinite Loop flaw that leads to a resource exhaustion Denial of Service before any user interaction or image rendering occurs.

Affected Systems

The issue affects the libheif library produced by strukturag, specifically all releases 1.21.2 and older. The problem was addressed in release 1.22.0 and later versions.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity, and the EPSS score is not available. The vulnerability is not listed in CISA’s KEV catalog, reducing known widespread exploitation probability, but the lack of a termination condition makes it a persistent local DoS that can be triggered by any process that opens an untrusted HEIF file. An attacker can supply the crafted file either via direct file upload, phishing, or any mechanism that leads a service to parse the file, causing the CPU to be exhausted and the application to become unresponsive.

Generated by OpenCVE AI on May 19, 2026 at 21:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade libheif to version 1.22.0 or later to eliminate the loop
  • Reconfigure applications that use libheif to reject or quarantine HEIF files originating from untrusted sources
  • Implement process or system monitoring to detect abnormal CPU usage during file parsing and take remedial action

Generated by OpenCVE AI on May 19, 2026 at 21:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 14:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:struktur:libheif:*:*:*:*:*:*:*:*

Wed, 20 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Struktur
Struktur libheif
Vendors & Products Struktur
Struktur libheif

Wed, 20 May 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 19 May 2026 20:00:00 +0000

Type Values Removed Values Added
Description libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and below, a crafted 800-byte HEIF sequence file causes an infinite loop in Box_stts::get_sample_duration(), consuming 100% CPU indefinitely with zero progress, leading to DoS. The loop has no iteration limit or timeout and is triggered during file open (parsing) - before any user interaction or image decoding. The process stays alive (no crash, no error logged), making it invisible to crash-based monitoring. This issue has been fixed in version 1.22.0.
Title libheif is Vulnerable to Infinite Loop DoS via stts Sample Duration Lookup
Weaknesses CWE-835
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Struktur Libheif
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-20T13:07:09.840Z

Reserved: 2026-03-13T15:02:00.628Z

Link: CVE-2026-32739

cve-icon Vulnrichment

Updated: 2026-05-20T13:07:02.701Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-19T20:16:18.780

Modified: 2026-05-20T14:17:13.740

Link: CVE-2026-32739

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-19T19:10:03Z

Links: CVE-2026-32739 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T10:15:15Z

Weaknesses