Insufficient Input Validation in Libheif Affects Image Handling
CVE-2024-41311

8.1HIGH

Key Information:

Vendor: strukturag
Status: Libheif
Vendor: CVE Published:; 15 October 2024

What is CVE-2024-41311?

In version 1.17.6 of Libheif, insufficient validation in the ImageOverlay::parse() function can allow attackers to exploit forged offsets within a HEIF file that contains an overlay image. This can lead to both out-of-bounds reads and writes, potentially compromising the security of the application utilizing this library. Proper sanitation of input data is crucial to mitigating this risk to ensure the stability and security of image processing operations.

References

https://github.com/strukturag/libheif/issues/1226

https://github.com/strukturag/libheif/pull/1227

https://github.com/strukturag/libheif/commit/a3ed1b1eb178...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 15, 2024

CVE-2024-41311 Data

JSON