CVE-2026-32739

Vulnerability

A missing loop-variable increment in Box_stts::get_sample_duration() (in libheif/sequences/seq_boxes.cc, lines 622–631) causes an infinite loop when m_entries[0].sample_count equals 0. The function iterates while (i < m_entries.size()) but i is never incremented; when sample_idx -= 0 is a no-op in unsigned arithmetic, the loop repeats forever. The same pattern exists in Box_ctts::get_sample_offset(). Versions 1.21.2 and below are affected. A crafted 800‑byte HEIF sequence file can bypass a consistency check by using two stts entries (entry[0] with sample_count=0 and entry[1] with sample_count=2) so that the sum still matches the required sample count, allowing the vulnerable code path to be reached during file opening [2].

Exploitation

An attacker needs only the ability to supply a crafted HEIF sequence file to a target (e.g., via a download, email attachment, or web‑based image processing service). No authentication, user interaction beyond file open, or special network position is required. The file triggers the parsing chain: heif_context_read_from_file() → HeifContext::interpret_heif_file() → Track::alloc_track() → Track::load() → init_sample_timing_table() → Box_stts::get_sample_duration(), which then loops infinitely [2]. The same missing‑increment bug in Box_ctts::get_sample_offset() provides a second attack surface.

Impact

The process spins at 100% CPU with zero progress and does not crash or log an error, making the denial‑of‑service invisible to crash‑based monitoring. The infinite loop occurs before any image decoding or user interaction, so the target application becomes permanently unresponsive until forcibly terminated. The impact is limited to availability (DoS); no data is disclosed or modified.

Mitigation

The issue is fixed in libheif version 1.22.0 [1]. Users should upgrade to 1.22.0 or later. There is no known workaround for versions 1.21.2 and below. No KEV listing has been published as of the advisory date.