CVE-2026-32741
EUVD-2026-3098219.05.2026, 21:16
libheif is a HEIF and AVIF file format decoder and encoder. Versions 1.21.2 and below contain a heap buffer overflow in MaskImageCodec::decode_mask_image(). When decoding a HEIF file containing a mask image (mski), the function copies the full iloc extent data into a pixel buffer using memcpy(dst, data.data(), data.size()). The copy length data.size() is determined by the iloc extent in the file (attacker-controlled), while the destination buffer is sized based on the declared image dimensions. Because no upper-bound check exists on the data length, a crafted file whose iloc extent exceeds the pixel buffer allocation overflows the heap. The vulnerable single-memcpy branch is reached when the mskC property specifies bits_per_pixel = 8 and the ispe property declares an even width ≥ 64 (so that stride == width), with no changes to default security limits or external codec plugins required. This issue has been fixed in version 1.22.0.
Awaiting analysis
This vulnerability is currently awaiting analysis.
openSUSE / SLES Releases
openSUSE Product | |||||||
|---|---|---|---|---|---|---|---|
| libheif-aom |
| ||||||
| libheif-dav1d |
| ||||||
| libheif-jpeg |
| ||||||
| libheif-rav1e |
| ||||||
| libheif1 |
|
Amazon Linux Releases
Amazon Package | |||
|---|---|---|---|
| heif-pixbuf-loader |
| ||
| heif-pixbuf-loader-debuginfo |
| ||
| libheif |
| ||
| libheif-debuginfo |
| ||
| libheif-debugsource |
| ||
| libheif-devel |
| ||
| libheif-tools |
| ||
| libheif-tools-debuginfo |
|
Common Weakness Enumeration
- CWE-122 - Heap-based Buffer OverflowA heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
- CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')The program copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.
References