CVE-2026-32740
Description
libheif is a HEIF and AVIF file format decoder and encoder. Versions 1.21.2 and prior contain a heap-buffer-overflow (write) vulnerability in the grid tile compositing, allowing an attacker to write 64 bytes of fully attacker-controlled data past the end of a chroma plane heap allocation by crafting a HEIF/AVIF file with a 1×4 grid of odd-height tiles. The overflow is triggered during normal image decoding with default build configuration. The written bytes are chroma (Cb/Cr) pixel values from the attacking tile, giving the attacker full control over the overflow content. This issue has been fixed in version 1.22.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Heap-buffer-overflow write in libheif grid tile compositing allows attacker-controlled 64-byte OOB write via crafted HEIF/AVIF file.
Vulnerability
A heap-buffer-overflow (write) vulnerability exists in libheif's grid tile compositing, specifically in the HeifPixelImage::copy_image_to() function at libheif/pixelimage.cc line 1207 [2]. Versions 1.21.2 and prior are affected. The bug occurs when compositing grid tiles with YCbCr 4:2:0 chroma subsampling. Due to a rounding mismatch in the calculation of the chroma plane offset (ys) and copy height (copy_height), the sum ys + copy_height can exceed the allocated chroma plane height by one row, leading to an out-of-bounds write [2]. The overflow is triggered when all of the following conditions hold: a grid image with YCbCr 4:2:0 chroma subsampling, odd tile height (e.g., 33, 65, 129), canvas height divisible by 4, canvas height ≥ 128, and at least 4 tile rows [2].
Exploitation
An attacker can exploit this vulnerability by crafting a malicious HEIF or AVIF file with a 1×4 grid of odd-height tiles (e.g., canvas 64×260, tile height 65) [2]. No authentication or special privileges are required; the file is decoded normally with default build configuration. The overflow writes 64 bytes of fully attacker-controlled chroma (Cb/Cr) pixel values past the end of the chroma plane heap allocation [2]. The written bytes originate from the attacking tile, giving the attacker full control over the overflow content.
Impact
Successful exploitation allows an attacker to write 64 bytes of controlled data to heap memory beyond the allocated buffer [2]. This heap corruption can potentially lead to arbitrary code execution, information disclosure, or denial of service, depending on the heap layout and subsequent operations. The attacker gains full control over the overflow content, increasing the severity of the impact.
Mitigation
The vulnerability has been fixed in libheif version 1.22.0 [1]. Users are strongly advised to upgrade to this version or later. No workarounds are documented in the available references. As of the publication date, this CVE is not listed on the Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <=1.21.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- github.com/strukturag/libheif/security/advisories/GHSA-frfr-f3vg-2g6jnvdExploitVendor Advisory
- github.com/strukturag/libheif/releases/tag/v1.22.0nvdRelease Notes
News mentions
0No linked articles in our index yet.