Heap Buffer Over-read in Libheif File Format Decoder from Struktur AG
CVE-2026-32882

7.1HIGH

Key Information:

Vendor: Strukturag
Status: Libheif
Vendor: CVE Published:; 19 May 2026

What is CVE-2026-32882?

The vulnerability in libheif, a decoder and encoder for HEIF and AVIF file formats, allows an attacker to exploit a heap buffer over-read when processing overlay images with mismatched bit depths for alpha and color channels. This flaw stems from improper indexing of the alpha plane during image compositing, resulting in potential denial of service due to crashes or revealing adjacent heap memory contents. Versions prior to 1.22.0 are affected by this issue, which can be resolved by updating to the latest version.

Affected Version(s)

libheif < 1.22.0

References

https://github.com/strukturag/libheif/security/advisories...

x_refsource_CONFIRM

https://github.com/strukturag/libheif/releases/tag/v1.22.0

x_refsource_MISC

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 19, 2026
Vulnerability Reserved
Mar 16, 2026

CVE-2026-32882 Data

JSON

Strukturag

What is CVE-2026-32882?

Affected Version(s)

References

CVSS V3.1

Timeline