Description
libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and prior, a crafted HEIF sequence file where the saiz box declares more samples than actually exist in the track's chunk table causes a heap-buffer-overflow (out-of-bounds read) in the SampleAuxInfoReader constructor. The SampleAuxInfoReader constructor iterates over saiz->get_num_samples() samples but doesn't validate that this count is consistent with the number of chunks in the chunks vector. When saiz declares more samples than the chunks cover, the loop increments current_chunk past chunks.size(), causing an out-of-bounds read on the chunks vector. The vulnerability is triggered during file parsing (heif_context_read_from_file) without any additional user interaction. Any application using libheif to open untrusted HEIF files is affected. This issue has been fixed in version 1.22.0.
Published: 2026-05-22
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a heap‑buffer‑overread that occurs when libheif parses a HEIF sequence file whose saiz box declares more samples than are listed in the chunks vector. The constructor of SampleAuxInfoReader iterates over the declared samples without checking that the number is supported by the actual chunks, which causes the loop to read past the end of the chunks array. This out‑of‑bounds read can potentially reveal memory contents or crash the application. The flaw is a read‑side buffer overrun (CWE‑125).

Affected Systems

The flaw affects libheif version 1.21.2 and all earlier releases from the vendor strukturag. Applications that compile against those versions or allow untrusted HEIF files to be processed are vulnerable. The vendor released a fix in libheif 1.22.0, which removes the missing validation and clamps sample iteration to the bounds of the chunks vector.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity. The EPSS is not available, so the exploitation probability is unknown, but the issue is not listed in CISA KEV. The vulnerability is triggered during file parsing by heif_context_read_from_file, and no further interaction is required. An attacker who can supply an arbitrary HEIF file to a vulnerable application can trigger the overread directly, potentially exposing sensitive data or causing a crash. The security impact therefore depends on the application's sensitivity to accidental memory leaks or availability loss, and it is most relevant to systems that accept HEIF uploads from untrusted sources.

Generated by OpenCVE AI on May 22, 2026 at 22:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade libheif to version 1.22.0 or later to apply the vendor patch that removes the missing bounds check.
  • If an upgrade is not immediately possible, restrict or deny processing of HEIF files originating from untrusted sources, and validate the saiz sample count against the chunk table before invoking libheif to detect mismatches.
  • Consider disabling HEIF support in critical applications or implementing additional runtime checks to prevent accidental out‑of‑bounds reads.

Generated by OpenCVE AI on May 22, 2026 at 22:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 22 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and prior, a crafted HEIF sequence file where the saiz box declares more samples than actually exist in the track's chunk table causes a heap-buffer-overflow (out-of-bounds read) in the SampleAuxInfoReader constructor. The SampleAuxInfoReader constructor iterates over saiz->get_num_samples() samples but doesn't validate that this count is consistent with the number of chunks in the chunks vector. When saiz declares more samples than the chunks cover, the loop increments current_chunk past chunks.size(), causing an out-of-bounds read on the chunks vector. The vulnerability is triggered during file parsing (heif_context_read_from_file) without any additional user interaction. Any application using libheif to open untrusted HEIF files is affected. This issue has been fixed in version 1.22.0.
Title libheif: Heap buffer over-read in SampleAuxInfoReader via crafted HEIF sequence file with mismatched saiz sample count
Weaknesses CWE-125
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-22T20:59:09.822Z

Reserved: 2026-04-16T16:43:03.174Z

Link: CVE-2026-41071

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T22:30:02Z

Weaknesses