Description
libheif is a HEIF and AVIF file format decoder and encoder. Versions 1.21.2 and below contain a heap buffer overflow in MaskImageCodec::decode_mask_image(). When decoding a HEIF file containing a mask image (mski), the function copies the full iloc extent data into a pixel buffer using memcpy(dst, data.data(), data.size()). The copy length data.size() is determined by the iloc extent in the file (attacker-controlled), while the destination buffer is sized based on the declared image dimensions. Because no upper-bound check exists on the data length, a crafted file whose iloc extent exceeds the pixel buffer allocation overflows the heap. The vulnerable single-memcpy branch is reached when the mskC property specifies bits_per_pixel = 8 and the ispe property declares an even width ≥ 64 (so that stride == width), with no changes to default security limits or external codec plugins required. This issue has been fixed in version 1.22.0.
Published: 2026-05-19
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

libheif contains a heap buffer overflow in the MaskImageCodec::decode_mask_image() function. When a HEIF file contains a mask image with an attacker‑controlled iloc extent, the copy length supplied to memcpy exceeds the size of the allocated pixel buffer. The resulting memory corruption can lead to arbitrary code execution or a denial‑of‑service. The vulnerability is triggered by a single memcpy branch that is reached when bits_per_pixel equals 8 and the image width is even and at least 64 pixels, without requiring changes to security limits or external plugins. It is inferred that any application that decodes HEIF/AVIF files using libheif is potentially exposed.

Affected Systems

Vendors: strukturag – libheif. Affected product versions: 1.21.2 and all earlier releases. The issue is resolved in libheif version 1.22.0 and later.

Risk and Exploitability

The CVSS score of 7.1 indicates a medium‑to‑high severity vulnerability. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. It is inferred that the likely attack vector is delivery of a crafted HEIF file to an application that uses libheif for decoding—such as image viewers, editors, or web browsers—allowing an attacker to trigger the overflow by simply opening or processing the malicious file. No additional exploitation prerequisites beyond providing the malformed file are cited in the CVE description.

Generated by OpenCVE AI on May 20, 2026 at 01:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade libheif to version 1.22.0 or later where the memcpy bounds check has been added.
  • If an upgrade is not immediately possible, disable mask image decoding via the libheif API or configure the application to reject HEIF files containing mski mask images until the patch is applied.
  • Process HEIF files in a restricted, sandboxed environment to limit the impact of any potential memory corruption until a proper fix is deployed.

Generated by OpenCVE AI on May 20, 2026 at 01:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Struktur
Struktur libheif
Vendors & Products Struktur
Struktur libheif

Wed, 20 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-120
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 19 May 2026 20:30:00 +0000

Type Values Removed Values Added
Description libheif is a HEIF and AVIF file format decoder and encoder. Versions 1.21.2 and below contain a heap buffer overflow in MaskImageCodec::decode_mask_image(). When decoding a HEIF file containing a mask image (mski), the function copies the full iloc extent data into a pixel buffer using memcpy(dst, data.data(), data.size()). The copy length data.size() is determined by the iloc extent in the file (attacker-controlled), while the destination buffer is sized based on the declared image dimensions. Because no upper-bound check exists on the data length, a crafted file whose iloc extent exceeds the pixel buffer allocation overflows the heap. The vulnerable single-memcpy branch is reached when the mskC property specifies bits_per_pixel = 8 and the ispe property declares an even width ≥ 64 (so that stride == width), with no changes to default security limits or external codec plugins required. This issue has been fixed in version 1.22.0.
Title libheif has a heap buffer overflow in decode_mask_image()
Weaknesses CWE-122
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H'}

Subscriptions

Struktur Libheif
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-20T15:46:03.623Z

Reserved: 2026-03-13T15:02:00.628Z

Link: CVE-2026-32741

cve-icon Vulnrichment

Updated: 2026-05-20T14:37:42.429Z

cve-icon NVD

Status : Deferred

Published: 2026-05-19T21:16:42.073

Modified: 2026-05-20T17:16:21.133

Link: CVE-2026-32741

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-19T19:57:26Z

Links: CVE-2026-32741 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T10:00:04Z

Weaknesses