9 matches found
CVE-2025-43967
CVE-2025-43967 involves a NULL pointer dereference in libheif
CVE-2026-41071
CVE-2026-41071 affects libheif up to version 1.21.2. A crafted HEIF sequence file where the saiz box declares more samples than actually exist can trigger a heap‑buffer‑overflow (out‑of‑bounds read) in the SampleAuxInfoReader constructor when parsing via heif_context_read_from_file. The reader it...
CVE-2025-43966
CVE-2025-43966 affects libheif prior to 1.19.6, with a NULL pointer dereference in ImageItem_iden (iden.cc). Root cause: dereference of a null item reference leading to potential crash. Impact: availability may be reduced (per CVSS in public entry). Remediation: upgrade libheif to version 1.19.6 ...
CVE-2026-32740
libheif (HEIF/AVIF decoder/encoder) versions
CVE-2026-41069
Summary: CVE-2026-41069 affects libheif up to v1.21.2, where a malformed HEIF sequence can trigger an out-of-bounds read in core sequence parsing, leading to DoS. The issue occurs when stco.entry_count == 0 but saiz.sample_count > 0, causing the SampleAuxInfoReader loop to dereference an empty...
CVE-2025-68431
CVE-2025-68431 affects libheif prior to version 1.21.0, where a crafted HEIF exploiting the overlay image item path triggers a heap buffer over-read in HeifPixelImage::overlay() . The root cause is a negative row length (likely from an unclipped overlay rectangle or invalid offsets) that underflo...
CVE-2026-32738
libheif (versions
CVE-2026-49271
CVE-2026-49271 affects libheif prior to 1.22.1. The uncompressed HEIF decoder validates icef compressed-unit offsets with unit_offset + unit_size, which can wrap and allow constructing iterators outside the compressed item buffer, causing an out-of-bounds heap read and crash. This vulnerability i...
CVE-2026-32739
libheif (HEIF/AVIF decoder) is affected through versions 1.21.2 and earlier, where a crafted 800-byte HEIF sequence file can trigger an infinite loop in Box_stts::get_sample_duration() during parsing, causing 100% CPU DoS with no progress and no crashログ. The issue is triggered on file open and is...