Description
libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and prior, a malformed HEIF sequence file can trigger an out-of-bounds read in core sequence parsing logic, causing DoS. A malformed file can have stco.entry_count == 0 (creating no chunks) while still passing validation because saio.entry_count == 0 matches, but with saiz.sample_count > 0 the SampleAuxInfoReader constructor still enters its loop. This leads to an out-of-bounds dereference on the empty chunks[0] in chunked mode.
Published: 2026-05-22
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is an out‑of‑bounds read and invalid dereference triggered when libheif parses a malformed HEIF sequence file. The buggy core sequence parser allows a file with stco.entry_count set to zero to bypass validation because saio.entry_count is also zero, yet SampleAuxInfoReader continues to loop when saiz.sample_count is greater than zero. The loop then dereferences chunks[0] although no chunks exist, causing a crash and denial of service. This weakness is catalogued as CWE‑125 (Out‑of‑Bounds Read) and CWE‑476 (Dereference of Null Pointer).

Affected Systems

The issue afflicts libheif version 1.21.2 and earlier, an open‑source HEIF and AVIF decoder/encoder maintained by strukturag. Any application that links against these affected releases—including image viewers, media libraries, and server uploads—could be impacted, as the vulnerable code resides in the core sequence parsing logic common to all such uses.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.5, indicating a moderate severity. Because EPSS data is not available, the exploitation likelihood cannot be quantified precisely, but the fact that an attacker can supply any HEIF file means the problem is readily exploitable if the target processes external uploads or content. The issue has not been added to CISA’s KEV catalog, and no public exploit is currently documented. Mitigation is to upgrade to libheif 1.22.0 or later, which removes the out‑of‑bounds dereference.

Generated by OpenCVE AI on May 22, 2026 at 22:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to libheif 1.22.0 or later, which contains the fix for the out‑of‑bounds dereference.
  • Validate HEIF input before parsing; reject files where stco.entry_count is zero but saiz.sample_count is non‑zero, or enforce strict size limits.
  • Implement defensive coding around the SampleAuxInfoReader constructor to guard against empty chunks arrays.

Generated by OpenCVE AI on May 22, 2026 at 22:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 22 May 2026 21:00:00 +0000

Type Values Removed Values Added
Description libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and prior, a malformed HEIF sequence file can trigger an out-of-bounds read in core sequence parsing logic, causing DoS. A malformed file can have stco.entry_count == 0 (creating no chunks) while still passing validation because saio.entry_count == 0 matches, but with saiz.sample_count > 0 the SampleAuxInfoReader constructor still enters its loop. This leads to an out-of-bounds dereference on the empty chunks[0] in chunked mode.
Title libheif allows Out-of-bounds vector access leading to invalid dereference (DoS)
Weaknesses CWE-125
CWE-476
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-22T20:49:16.735Z

Reserved: 2026-04-16T16:43:03.174Z

Link: CVE-2026-41069

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T22:30:02Z

Weaknesses