Description
libheif is a HEIF and AVIF file format decoder and encoder. Versions 1.21.2 and prior contain a heap buffer over-read in HeifPixelImage::overlay() in libheif/pixelimage.cc. When compositing an overlay image (iovl) whose child image has a different bit depth for the alpha channel than for the color channels, the function indexes into the alpha plane using the color channel stride (in_stride) instead of the previously retrieved alpha_stride, causing reads past the end of the alpha buffer (up to 3,123 bytes for a 100×50 image with 10-bit color and 8-bit alpha). A crafted HEIF file can exploit this to cause a denial of service (crash) or potentially disclose adjacent heap memory through leaked bytes embedded in the decoded output pixels. This issue has been fixed in versionThis issue has been fixed in version 1.22.0.
Published: 2026-05-19
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

libheif’s overlay compositing routine performs a heap buffer over‑read when an overlay image’s alpha channel has a different bit depth than its color channels. The routine incorrectly uses the color stride to index the alpha buffer, allowing reads beyond its end—up to 3,123 bytes in a 100×50 10‑bit image. A crafted HEIF file can trigger this read, leading to a crash (denial of service) or leakage of adjacent heap memory, potentially exposing sensitive data in the decoded output pixels.

Affected Systems

strukturag libheif, versions 1.21.2 and earlier, are affected. The vulnerability was fixed in release 1.22.0 and later versions. Any system that decodes HEIF/AVIF files using these library versions is at risk.

Risk and Exploitability

The vulnerability is rated CVSS 7.1 (high). EPSS is not available and the issue is not listed in the CISA KEV catalog. Attack requires a crafted HEIF file containing an overlay with mismatched alpha bit depth supplied to the libheif decoder. The exploit can be local—any application that uses the library to open a file can trigger the over‑read, or remote if the attacker can cause the target to process malicious content from an untrusted source.

Generated by OpenCVE AI on May 19, 2026 at 21:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade struktura libheif to version 1.22.0 or later to eliminate the over‑read.
  • Restrict execution of unchecked HEIF files to a sandboxed environment with limited privileges to contain potential crashes or memory disclosures.
  • Validate or sanitize overlay parameters in HEIF files before decoding, ensuring that alpha bit depth matches color bit depth and that stride values are within bounds to prevent out‑of‑bounds reads.

Generated by OpenCVE AI on May 19, 2026 at 21:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Struktur
Struktur libheif
Vendors & Products Struktur
Struktur libheif

Wed, 20 May 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 19 May 2026 20:30:00 +0000

Type Values Removed Values Added
Description libheif is a HEIF and AVIF file format decoder and encoder. Versions 1.21.2 and prior contain a heap buffer over-read in HeifPixelImage::overlay() in libheif/pixelimage.cc. When compositing an overlay image (iovl) whose child image has a different bit depth for the alpha channel than for the color channels, the function indexes into the alpha plane using the color channel stride (in_stride) instead of the previously retrieved alpha_stride, causing reads past the end of the alpha buffer (up to 3,123 bytes for a 100×50 image with 10-bit color and 8-bit alpha). A crafted HEIF file can exploit this to cause a denial of service (crash) or potentially disclose adjacent heap memory through leaked bytes embedded in the decoded output pixels. This issue has been fixed in versionThis issue has been fixed in version 1.22.0.
Title libheif: Heap Buffer OOB Read in overlay compositing due to wrong alpha stride
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H'}

Subscriptions

Struktur Libheif
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-20T17:23:02.780Z

Reserved: 2026-03-16T21:03:44.420Z

Link: CVE-2026-32882

cve-icon Vulnrichment

Updated: 2026-05-20T17:22:08.118Z

cve-icon NVD

Status : Deferred

Published: 2026-05-19T21:16:42.363

Modified: 2026-05-20T18:16:26.880

Link: CVE-2026-32882

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-19T20:07:21Z

Links: CVE-2026-32882 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T10:00:04Z

Weaknesses