CVE-2025-68431

EUVD-2025-205646
libheif is an HEIF and AVIF file format decoder and encoder. Prior to version 1.21.0, a crafted HEIF that exercises the overlay image item path triggers a heap buffer over-read in `HeifPixelImage::overlay()`. The function computes a negative row length (likely from an unclipped overlay rectangle or invalid offsets), which then underflows when converted to `size_t` and is passed to `memcpy`, causing a very large read past the end of the source plane and a crash. Version 1.21.0 contains a patch. As a workaround, avoid decoding images using `iovl` overlay boxes.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.5 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 18%
Affected Products (NVD)
VendorProductVersion
strukturlibheif
𝑥
< 1.21.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libheif
bookworm
no-dsa
bookworm (security)
vulnerable
bullseye
postponed
bullseye (security)
vulnerable
forky
1.21.2-4
fixed
sid
1.23.1-1
fixed
trixie
no-dsa
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
libheif-aom
suse enterprise desktop 15 SP7
1.23.0-150700.3.15.1
fixed
suse enterprise sap 15 SP7
1.23.0-150700.3.15.1
fixed
suse enterprise server 15 SP7
1.23.0-150700.3.15.1
fixed
libheif-dav1d
suse enterprise desktop 15 SP7
1.23.0-150700.3.15.1
fixed
suse enterprise sap 15 SP7
1.23.0-150700.3.15.1
fixed
suse enterprise server 15 SP7
1.23.0-150700.3.15.1
fixed
libheif-jpeg
suse enterprise desktop 15 SP7
1.23.0-150700.3.15.1
fixed
suse enterprise sap 15 SP7
1.23.0-150700.3.15.1
fixed
suse enterprise server 15 SP7
1.23.0-150700.3.15.1
fixed
libheif-rav1e
suse enterprise desktop 15 SP7
1.23.0-150700.3.15.1
fixed
suse enterprise sap 15 SP7
1.23.0-150700.3.15.1
fixed
suse enterprise server 15 SP7
1.23.0-150700.3.15.1
fixed
libheif1
suse enterprise desktop 15 SP7
1.23.0-150700.3.15.1
fixed
suse enterprise sap 15 SP7
1.23.0-150700.3.15.1
fixed
suse enterprise server 15 SP7
1.23.0-150700.3.15.1
fixed
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
heif-pixbuf-loader
Amazon Linux 2023
0:1.19.8-1.amzn2023.0.3
fixed
heif-pixbuf-loader-debuginfo
Amazon Linux 2023
0:1.19.8-1.amzn2023.0.3
fixed
libheif
Amazon Linux 2023
0:1.19.8-1.amzn2023.0.3
fixed
libheif-debuginfo
Amazon Linux 2023
0:1.19.8-1.amzn2023.0.3
fixed
libheif-debugsource
Amazon Linux 2023
0:1.19.8-1.amzn2023.0.3
fixed
libheif-devel
Amazon Linux 2023
0:1.19.8-1.amzn2023.0.3
fixed
libheif-tools
Amazon Linux 2023
0:1.19.8-1.amzn2023.0.3
fixed
libheif-tools-debuginfo
Amazon Linux 2023
0:1.19.8-1.amzn2023.0.3
fixed