Description
libheif is a HEIF and AVIF file format decoder and encoder. Prior to version 1.22.1, the uncompressed HEIF decoder validates explicit icef compressed-unit offsets using unit_offset + unit_size. Because the addition can wrap, a crafted HEIF file can pass the range check and then construct a vector from iterators outside the compressed item buffer, producing an out-of-bounds heap read and crash. Version 1.22.1 patches the issue.
Published: 2026-06-19
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in libheif allows a crafted HEIF file to bypass a range check due to a wraparound in the offset calculation for icef compressed‑unit blocks. The check uses unit_offset + unit_size, and when the addition overflows, the resulting value can be smaller than the actual size, permitting the decoder to construct iterators that reference data outside the intended buffer. This causes an out‑of‑bounds heap read, which typically results in a crash but could also expose data from adjacent memory, potentially leading to information disclosure. The weakness is identified as CWE‑125 (Out‑of‑Bounds Read) and CWE‑190 (Integer Overflow).

Affected Systems

The flaw exists in libheif by Struktur AG before version 1.22.1. Any application that links against a pre‑1.22.1 build of libheif and decodes uncompressed HEIF files is at risk. Common use cases include image processing libraries, media players, and document rendering engines that embed libheif for HEIC support.

Risk and Exploitability

The CVSS base score of 6.5 indicates a moderate severity. The EPSS score is about 0.00199, indicating a very low exploitation probability, and the vulnerability is not listed in the CISA KEV catalog, suggesting no widespread exploitation has been observed to date. The attack vector is inferred to be file‑based; an attacker who can supply a malicious HEIF file to the victim’s application may trigger the crash or read of sensitive memory. While there is no direct path to remote code execution in the provided description, a local or possibly remote flaw capable of causing a denial of service or information leak exists. The risk remains moderate, with exploitation likelihood contingent on the target’s exposure to untrusted HEIF files.

Generated by OpenCVE AI on June 30, 2026 at 13:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade libheif to version 1.22.1 or later to apply the patched range check.
  • If an upgrade is not immediately possible, restrict or disable the decoding of uncompressed HEIF files in the affected application, or add an external wrapper that validates compressed‑unit offsets before passing the data to libheif.
  • Ensure that any external HEIF files are treated as untrusted input and processed in a sandboxed environment, with appropriate memory bounds checking and error handling to avoid exposure of adjacent memory.

Generated by OpenCVE AI on June 30, 2026 at 13:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-8479-1 libheif vulnerabilities
History

Tue, 30 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-190
References
Metrics threat_severity

None

threat_severity

Moderate


Wed, 24 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Struktur
Struktur libheif
Vendors & Products Struktur
Struktur libheif

Mon, 22 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description libheif is a HEIF and AVIF file format decoder and encoder. Prior to version 1.22.1, the uncompressed HEIF decoder validates explicit icef compressed-unit offsets using unit_offset + unit_size. Because the addition can wrap, a crafted HEIF file can pass the range check and then construct a vector from iterators outside the compressed item buffer, producing an out-of-bounds heap read and crash. Version 1.22.1 patches the issue.
Title libheif: Wrapped icef compressed-unit range check causes out-of-bounds read in uncompressed HEIF decoder
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}


Subscriptions

Struktur Libheif
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-22T17:05:02.343Z

Reserved: 2026-05-28T20:07:58.860Z

Link: CVE-2026-49271

cve-icon Vulnrichment

Updated: 2026-06-22T17:00:56.312Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-19T17:16:20Z

Links: CVE-2026-49271 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T14:00:06Z

Weaknesses