CVE-2026-32741
Description
libheif is a HEIF and AVIF file format decoder and encoder. Versions 1.21.2 and below contain a heap buffer overflow in MaskImageCodec::decode_mask_image(). When decoding a HEIF file containing a mask image (mski), the function copies the full iloc extent data into a pixel buffer using memcpy(dst, data.data(), data.size()). The copy length data.size() is determined by the iloc extent in the file (attacker-controlled), while the destination buffer is sized based on the declared image dimensions. Because no upper-bound check exists on the data length, a crafted file whose iloc extent exceeds the pixel buffer allocation overflows the heap. The vulnerable single-memcpy branch is reached when the mskC property specifies bits_per_pixel = 8 and the ispe property declares an even width ≥ 64 (so that stride == width), with no changes to default security limits or external codec plugins required. This issue has been fixed in version 1.22.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A heap buffer overflow in libheif <=1.21.2 allows denial of service or potential code execution when decoding a crafted HEIF mask image with an oversized iloc extent.
Vulnerability
A heap buffer overflow exists in MaskImageCodec::decode_mask_image() in libheif versions 1.21.2 and below [1]. When decoding a HEIF file containing a mask image (mski), the function copies the full iloc extent data into a pixel buffer using memcpy(dst, data.data(), data.size()) on line 117 of libheif/image-items/mask_image.cc [1]. The copy length (data.size()) is determined by the attacker-controlled extent_length field in the iloc box, while the destination buffer is sized based on the declared image dimensions [1]. No upper-bound check exists on the data length, so a crafted file whose iloc extent exceeds the pixel buffer allocation overflows the heap [1]. The vulnerable single-memcpy branch is reached when the mskC property specifies bits_per_pixel = 8 and the ispe property declares an even width ≥ 64 (so that stride equals width) [1]. No non-default security limits or external codec plugins are required [1].
Exploitation
An attacker needs only the ability to deliver a crafted HEIF file to a target processing library (e.g., via a web browser rendering an AVIF image, or a media application opening a HEIF file) [1]. The attacker crafts a HEIF file containing a mask image item with a declared image dimension (e.g., even width ≥ 64) and an iloc extent length larger than the derived pixel buffer size [1]. When the library decodes the file, the vulnerable memcpy copies the oversized data into the undersized heap buffer, causing an overflow [1]. No authentication or user interaction beyond opening the file is required [1].
Impact
Successful exploitation results in heap corruption [1]. The immediate impact is denial of service (crash), but heap-based buffer overflows can potentially be leveraged for arbitrary code execution depending on heap layout and mitigation controls [1]. The compromise occurs at the privilege level of the process using libheif [1].
Mitigation
The issue has been fixed in libheif version 1.22.0, released on 2026-05-19 [2]. Users should upgrade to version 1.22.0 or later [2]. No workaround is available for unpatched versions [1]. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <=1.21.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.