Description
libheif is a HEIF and AVIF file format decoder and encoder. Versions 1.21.2 and prior contain a heap-buffer-overflow (write) vulnerability in the grid tile compositing, allowing an attacker to write 64 bytes of fully attacker-controlled data past the end of a chroma plane heap allocation by crafting a HEIF/AVIF file with a 1×4 grid of odd-height tiles. The overflow is triggered during normal image decoding with default build configuration. The written bytes are chroma (Cb/Cr) pixel values from the attacking tile, giving the attacker full control over the overflow content. This issue has been fixed in version 1.22.0.
Published: 2026-05-19
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a heap-buffer-overflow that occurs during normal HEIF/AVIF decoding when a 1×4 grid of odd‑height tiles is processed. The fault writes 64 attacker‑controlled bytes past the end of a chroma plane allocation, enabling full control over the overwritten memory. Such overwrite can corrupt memory, crash the application, or possibly allow execution of arbitrary code if the overflow reaches executable code paths. The weakness is a classic example of CWE‑787, where data written outside the bounds of an allocated heap buffer occurs during regular library usage with default build configuration.

Affected Systems

The affected software is libheif from strukturag, the HEIF and AVIF encoder/decoder. All releases up to and including 1.21.2 are vulnerable; the problem was fixed in version 1.22.0. No other vendors or products are listed as impacted.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity. EPSS data is unavailable, and the vulnerability is not listed in CISA’s KEV catalog. The flaw is exploitable by supplying a crafted HEIF/AVIF file that is processed by any application that uses libheif without safeguards. A prominent attack vector is remote delivery of a malicious image—via email, a web site, or any file‑import functionality—so the risk is high for any exposed service that decodes such files. The missing EPSS score does not diminish that the stack impact could be severe if the overflow reaches executable memory.

Generated by OpenCVE AI on May 19, 2026 at 21:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade libheif to version 1.22.0 or later, which includes the heap‑buffer‑overflow fix
  • If upgrade is not immediately possible, remove or disable features that enable grid tile compositing in the library (e.g., compile libheif with that option disabled) to prevent the overflow path
  • Where the library is used to decode untrusted HEIF/AVIF files, validate or sanitize the input beforehand, or use a sandboxed environment to limit the potential impact of a memory corruption event

Generated by OpenCVE AI on May 19, 2026 at 21:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 14:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:struktur:libheif:*:*:*:*:*:*:*:*
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 20 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Struktur
Struktur libheif
Vendors & Products Struktur
Struktur libheif

Wed, 20 May 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 19 May 2026 20:00:00 +0000

Type Values Removed Values Added
Description libheif is a HEIF and AVIF file format decoder and encoder. Versions 1.21.2 and prior contain a heap-buffer-overflow (write) vulnerability in the grid tile compositing, allowing an attacker to write 64 bytes of fully attacker-controlled data past the end of a chroma plane heap allocation by crafting a HEIF/AVIF file with a 1×4 grid of odd-height tiles. The overflow is triggered during normal image decoding with default build configuration. The written bytes are chroma (Cb/Cr) pixel values from the attacking tile, giving the attacker full control over the overflow content. This issue has been fixed in version 1.22.0.
Title libheif: Heap-Buffer-Overflow Write in Grid Tile Chroma Compositing
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Struktur Libheif
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-20T13:49:10.222Z

Reserved: 2026-03-13T15:02:00.628Z

Link: CVE-2026-32740

cve-icon Vulnrichment

Updated: 2026-05-20T13:49:03.011Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-19T20:16:18.917

Modified: 2026-05-20T14:17:02.530

Link: CVE-2026-32740

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-19T19:22:07Z

Links: CVE-2026-32740 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T10:15:15Z

Weaknesses