CVE-2026-32814

EUVD-2026-30980
libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and prior, when decoding a HEIF grid image with strict_decoding=false (the default), a corrupted tile silently fails to decode and the library returns heif_error_Ok with no indication of failure, leading to an uninitialized heap memory information leak. The canvas is allocated via create_clone_image_at_new_size() → plane.alloc() → new (std::nothrow) uint8_t[allocation_size] which does not zero the memory; only the alpha plane is explicitly initialized via fill_plane(), so the Y, Cb, and Cr planes contain whatever was previously at that heap address. The failed tile's region of the canvas is never written. It retains uninitialized heap data that is delivered to the caller as decoded pixel values (4,096 bytes per Y/Cb/Cr plane = 12,288+ bytes total). Any application using libheif to decode grid-based HEIF/AVIF files with default settings is vulnerable: a crafted .heic or .avif file causes 4,096+ bytes of heap memory to appear as pixel values in the decoded image, and the calling application receives heif_error_Ok, so it has no indication the output contains heap garbage. In server-side image processing, an uploaded crafted HEIF decoded and re-encoded (e.g., as PNG/JPEG for thumbnails, CDN, social media) can leak cross-user data such as auth tokens, database results, and other users' image data. This issue has been fixed in version 1.22.0.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.5 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 22%
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
libheif-aom
suse enterprise desktop 15 SP7
1.23.0-150700.3.15.1
fixed
suse enterprise sap 15 SP7
1.23.0-150700.3.15.1
fixed
suse enterprise server 15 SP7
1.23.0-150700.3.15.1
fixed
libheif-dav1d
suse enterprise desktop 15 SP7
1.23.0-150700.3.15.1
fixed
suse enterprise sap 15 SP7
1.23.0-150700.3.15.1
fixed
suse enterprise server 15 SP7
1.23.0-150700.3.15.1
fixed
libheif-jpeg
suse enterprise desktop 15 SP7
1.23.0-150700.3.15.1
fixed
suse enterprise sap 15 SP7
1.23.0-150700.3.15.1
fixed
suse enterprise server 15 SP7
1.23.0-150700.3.15.1
fixed
libheif-rav1e
suse enterprise desktop 15 SP7
1.23.0-150700.3.15.1
fixed
suse enterprise sap 15 SP7
1.23.0-150700.3.15.1
fixed
suse enterprise server 15 SP7
1.23.0-150700.3.15.1
fixed
libheif1
suse enterprise desktop 15 SP7
1.23.0-150700.3.15.1
fixed
suse enterprise sap 15 SP7
1.23.0-150700.3.15.1
fixed
suse enterprise server 15 SP7
1.23.0-150700.3.15.1
fixed