CVE-2024-41311

In Libheif 1.17.6, insufficient checks in ImageOverlay::parse() decoding a heif file containing an overlay image with forged offsets can lead to an out-of-bounds read and write.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.1 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
mitreCNA
---
---
CISA-ADPADP
8.1 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 27%
VendorProductVersion
strukturlibheif
1.17.6
debiandebian_linux
11.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libheif
bullseye
vulnerable
bullseye (security)
1.11.0-1+deb11u2
fixed
bookworm
1.15.1-1+deb12u1
fixed
bookworm (security)
1.15.1-1+deb12u1
fixed
sid
1.19.8-1
fixed
trixie
1.19.8-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libheif
oracular
not-affected
noble
Fixed 1.17.6-1ubuntu4.1
released
jammy
not-affected
focal
not-affected
bionic
not-affected
Common Weakness Enumeration
References
https://gist.github.com/flyyee/79f1b224069842ee320115cafa5c35c0
https://github.com/strukturag/libheif/commit/a3ed1b1eb178c5d651d6ac619c8da3d71ac2be36
https://github.com/strukturag/libheif/issues/1226
https://github.com/strukturag/libheif/pull/1227
https://lists.debian.org/debian-lts-announce/2024/10/msg00025.html