CVE-2026-32882
Description
libheif is a HEIF and AVIF file format decoder and encoder. Versions 1.21.2 and prior contain a heap buffer over-read in HeifPixelImage::overlay() in libheif/pixelimage.cc. When compositing an overlay image (iovl) whose child image has a different bit depth for the alpha channel than for the color channels, the function indexes into the alpha plane using the color channel stride (in_stride) instead of the previously retrieved alpha_stride, causing reads past the end of the alpha buffer (up to 3,123 bytes for a 100×50 image with 10-bit color and 8-bit alpha). A crafted HEIF file can exploit this to cause a denial of service (crash) or potentially disclose adjacent heap memory through leaked bytes embedded in the decoded output pixels. This issue has been fixed in versionThis issue has been fixed in version 1.22.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A heap buffer over-read in libheif's overlay compositing can cause denial of service or information disclosure via crafted HEIF files.
Vulnerability
A heap buffer over-read exists in HeifPixelImage::overlay() in libheif/pixelimage.cc in libheif versions 1.21.2 and prior. When compositing an overlay image (iovl) whose child image has a different bit depth for the alpha channel than for the color channels, the function indexes into the alpha plane using the color channel stride (in_stride) instead of the previously retrieved alpha_stride [1]. This causes reads past the end of the alpha buffer allocation, up to 3,123 bytes for a 100×50 image with 10-bit color and 8-bit alpha [1]. The bug was introduced in the overlay compositing code and is reachable through the public API heif_decode_image() [1].
Exploitation
An attacker can exploit this by crafting a HEIF file that contains an overlay image where the child image has mismatched bit depths between the alpha channel (e.g., 8-bit) and the color channels (e.g., 10-bit). The file must be decoded by a vulnerable version of libheif via any application that uses the library to parse HEIF/AVIF images. No authentication or special privileges are required; the victim only needs to open the malicious file. The call chain from the public API to the vulnerable code is: heif_decode_image() → HeifContext::decode_image() → ImageItem_Overlay::decode_compressed_image() → decode_overlay_image() → HeifPixelImage::overlay() [1]. The OOB read occurs at line 1835 where alpha_p[in_x0 + y * in_stride + x] is used instead of alpha_p[in_x0 + y * alpha_stride + x] [1].
Impact
Successful exploitation can lead to a denial of service (application crash) due to reading out-of-bounds heap memory. Additionally, the over-read may disclose adjacent heap data that becomes embedded in the decoded output pixels, potentially leaking sensitive information [1]. The advisory notes that up to 3,123 bytes of heap memory could be exposed for a 100×50 image [1]. No remote code execution is described in the available references.
Mitigation
The vulnerability is fixed in libheif version 1.22.0, released on 2026-05-19 [2]. Users should upgrade to version 1.22.0 or later. No workaround is documented in the references. The library is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <=1.21.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.