Description
libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and prior, when decoding a HEIF grid image with strict_decoding=false (the default), a corrupted tile silently fails to decode and the library returns heif_error_Ok with no indication of failure, leading to an uninitialized heap memory information leak. The canvas is allocated via create_clone_image_at_new_size() → plane.alloc() → new (std::nothrow) uint8_t[allocation_size] which does not zero the memory; only the alpha plane is explicitly initialized via fill_plane(), so the Y, Cb, and Cr planes contain whatever was previously at that heap address. The failed tile's region of the canvas is never written. It retains uninitialized heap data that is delivered to the caller as decoded pixel values (4,096 bytes per Y/Cb/Cr plane = 12,288+ bytes total). Any application using libheif to decode grid-based HEIF/AVIF files with default settings is vulnerable: a crafted .heic or .avif file causes 4,096+ bytes of heap memory to appear as pixel values in the decoded image, and the calling application receives heif_error_Ok, so it has no indication the output contains heap garbage. In server-side image processing, an uploaded crafted HEIF decoded and re-encoded (e.g., as PNG/JPEG for thumbnails, CDN, social media) can leak cross-user data such as auth tokens, database results, and other users' image data. This issue has been fixed in version 1.22.0.
Published: 2026-05-19
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An error condition in libheif 1.21.2 and earlier causes a corrupted HEIF grid tile to silently fail to decode while the library reports success, leaving uninitialized heap data in the Y, Cb, and Cr planes. The resulting decoded image contains 4,096 bytes per plane, totaling over 12 KB of memory that may hold prior user data such as authentication tokens or database results. Because the error is not reported to the caller, applications receive a normal success code and cannot sense that the image is corrupted. This behavior aligns with CWE-200 (Information Exposure) and CWE-908 (Information Leak through Uninitialized Data).

Affected Systems

All users of strukturag:libheif running version 1.21.2 or earlier are affected. The fix was applied in version 1.22.0 and subsequent releases, so any deployment that has not yet upgraded is vulnerable.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity. EPSS information is not available, and the vulnerability is not listed in CISA’s KEV catalog. The primary attack scenario involves an attacker crafting a malicious HEIC or AVIF file and providing it to an application that decodes images, such as a server‑side image processor or thumbnail generator. Because the bug triggers on corrupted grid tiles and does not require elevated privileges, any process that links against libheif can potentially leak sensitive heap contents. In environments where images are generated from untrusted uploads, the risk to confidentiality is moderate to high, depending on the sensitivity of the data previously residing in the heap.

Generated by OpenCVE AI on May 19, 2026 at 21:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade libheif to version 1.22.0 or later to remove the bug
  • Configure libheif to use strict_decoding=true so that failed grid tiles produce a non‑zero error status and halt processing
  • Add validation to any image‑processing pipeline to reject or re‑process HEIF/AVIF files that return an error or contain unexpected pixel data before further use

Generated by OpenCVE AI on May 19, 2026 at 21:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Struktur
Struktur libheif
Vendors & Products Struktur
Struktur libheif

Wed, 20 May 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 19 May 2026 20:30:00 +0000

Type Values Removed Values Added
Description libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and prior, when decoding a HEIF grid image with strict_decoding=false (the default), a corrupted tile silently fails to decode and the library returns heif_error_Ok with no indication of failure, leading to an uninitialized heap memory information leak. The canvas is allocated via create_clone_image_at_new_size() → plane.alloc() → new (std::nothrow) uint8_t[allocation_size] which does not zero the memory; only the alpha plane is explicitly initialized via fill_plane(), so the Y, Cb, and Cr planes contain whatever was previously at that heap address. The failed tile's region of the canvas is never written. It retains uninitialized heap data that is delivered to the caller as decoded pixel values (4,096 bytes per Y/Cb/Cr plane = 12,288+ bytes total). Any application using libheif to decode grid-based HEIF/AVIF files with default settings is vulnerable: a crafted .heic or .avif file causes 4,096+ bytes of heap memory to appear as pixel values in the decoded image, and the calling application receives heif_error_Ok, so it has no indication the output contains heap garbage. In server-side image processing, an uploaded crafted HEIF decoded and re-encoded (e.g., as PNG/JPEG for thumbnails, CDN, social media) can leak cross-user data such as auth tokens, database results, and other users' image data. This issue has been fixed in version 1.22.0.
Title libheif: Uninitialized Heap Memory Information Leak via Failed Grid Tiles
Weaknesses CWE-200
CWE-908
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

Subscriptions

Struktur Libheif
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-20T14:06:00.428Z

Reserved: 2026-03-16T17:35:36.696Z

Link: CVE-2026-32814

cve-icon Vulnrichment

Updated: 2026-05-20T14:05:45.524Z

cve-icon NVD

Status : Deferred

Published: 2026-05-19T21:16:42.223

Modified: 2026-05-20T14:16:41.740

Link: CVE-2026-32814

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-19T19:49:23Z

Links: CVE-2026-32814 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T10:00:04Z

Weaknesses