Heap Buffer Overflow Vulnerability in libheif HEIF and AVIF Decoder
CVE-2026-41071

5.1MEDIUM

Key Information:

Vendor: Strukturag
Status: Libheif
Vendor: CVE Published:; 22 May 2026

What is CVE-2026-41071?

The libheif library, responsible for decoding HEIF and AVIF file formats, is susceptible to a heap buffer overflow due to improper validation of sample counts. When a specially crafted HEIF sequence file is processed, the saiz box may indicate more samples than exist in the corresponding chunk table, leading to an out-of-bounds read. This vulnerability arises during the file parsing process and can be exploited by applications utilizing libheif to open untrusted HEIF files. The issue has been addressed in version 1.22.0, which is recommended for all users.

Affected Version(s)

libheif < 1.22.0

References

https://github.com/strukturag/libheif/security/advisories...

x_refsource_CONFIRM

https://github.com/strukturag/libheif/releases/tag/v1.22.0

x_refsource_MISC

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 22, 2026
Vulnerability Reserved
Apr 16, 2026

CVE-2026-41071 Data

JSON

Strukturag

What is CVE-2026-41071?

Affected Version(s)

References

CVSS V4

Timeline