CVE-2026-32738

Vulnerability

In libheif versions 1.21.2 and below, the Box_stsc::parse() function fails to validate that the samples_per_chunk field read from the file is non-zero, as required by the ISO 14496-12 specification. A crafted HEIF sequence file of 792 bytes with samples_per_chunk=0 triggers an unsigned integer underflow in the Chunk constructor (m_last_sample = first_sample + num_samples - 1 yields UINT32_MAX when num_samples is 0). This causes the m_sample_ranges vector to remain empty, yet all samples are mapped to this empty chunk because last_sample_number() returns UINT32_MAX. The file parses without error; the crash occurs on first frame access [1].

Exploitation

An attacker needs only to supply a crafted HEIF/AVIF file (e.g., via a web upload, email attachment, or other vector) that is parsed by an application using the vulnerable libheif library. No authentication or special privileges are required. When any sample is accessed by the library—typically on reading the first frame—the function Chunk::get_data_extent_for_sample() reads from index 0 of the empty m_sample_ranges vector, causing a guaranteed SEGV (null-page read) [1].

Impact

Successful exploitation results in a denial of service (SEGV crash). No code execution, information disclosure, or privilege escalation is described. The crash is deterministic and occurs reliably on the first frame access, making the vulnerability a straightforward denial-of-service vector [1].

Mitigation

The issue has been fixed in libheif version 1.22.0 (released 2026-05-19). Users should upgrade to 1.22.0 or later. There is no known workaround; applications that cannot immediately upgrade should avoid processing untrusted HEIF/AVIF files. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1].