Heap Buffer Overflow in libheif HEIF and AVIF File Format Decoder by Struktur AG
CVE-2026-32741

7.1HIGH

Key Information:

Vendor: Strukturag
Status: Libheif
Vendor: CVE Published:; 19 May 2026

What is CVE-2026-32741?

The libheif library, responsible for decoding HEIF and AVIF file formats, is vulnerable to a heap buffer overflow. This vulnerability arises from a flaw in the MaskImageCodec::decode_mask_image() function, specifically when decoding a HEIF file containing a mask image. The function improperly copies the full extent of data into a pixel buffer using memcpy without verifying the size, allowing attackers to create crafted files that exceed buffer allocations, leading to potential exploit scenarios. Versions prior to 1.22.0 are affected, and users are advised to upgrade to mitigate this risk.

Affected Version(s)

libheif < 1.22.0

References

https://github.com/strukturag/libheif/security/advisories...

x_refsource_CONFIRM

https://github.com/strukturag/libheif/releases/tag/v1.22.0

x_refsource_MISC

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 19, 2026
Vulnerability Reserved
Mar 13, 2026

CVE-2026-32741 Data

JSON

Strukturag

What is CVE-2026-32741?

Affected Version(s)

References

CVSS V3.1

Timeline