Heap Exposure Vulnerability in libheif HEIF and AVIF Decoder by StrukturAG
CVE-2026-49271

6.5MEDIUM

Key Information:

Vendor: Strukturag
Status: Libheif
Vendor: CVE Published:; 19 June 2026

What is CVE-2026-49271?

The libheif library, which is used for decoding and encoding HEIF and AVIF file formats, has a vulnerability related to its uncompressed HEIF decoder. Specifically, prior to version 1.22.1, it improperly validates compressed-unit offsets. This can lead to a situation where an attacker can craft a malformed HEIF file, causing the decoder to perform unsafe memory operations and leading to an out-of-bounds heap read. This issue can potentially allow attackers to exploit the system reaction to this vulnerability, including crashing the application or revealing sensitive information.

Affected Version(s)

libheif < 1.22.1

References

https://github.com/strukturag/libheif/security/advisories...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 19, 2026
Vulnerability Reserved
May 28, 2026

CVE-2026-49271 Data

JSON

Strukturag

What is CVE-2026-49271?

Affected Version(s)

References

CVSS V3.1

Timeline