What is the CVSS score of CVE-2026-32741?

CVE-2026-32741 has a CVSS 3.1 base score of 7.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H. EPSS exploitation probability: 0.0%.

Which versions of libheif are affected by CVE-2026-32741?

libheif (versions 1.21.2 and below) contains a heap buffer overflow that allows attackers to corrupt system memory through maliciously crafted HEIF image files.. A patch is available.

libheif CVE-2026-32741

EUVD-2026-30982 HIGH

Heap-based Buffer Overflow (CWE-122)

2026-05-19 GitHub_M

Buffer Overflow Heap Overflow Red Hat Suse

7.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

High

Lifecycle Timeline

Patch available

May 19, 2026 - 21:02 EUVD

Source Code Evidence Fetched

May 19, 2026 - 20:45 vuln.today

Analysis Generated

May 19, 2026 - 20:45 vuln.today

DescriptionNVD

libheif is a HEIF and AVIF file format decoder and encoder. Versions 1.21.2 and below contain a heap buffer overflow in MaskImageCodec::decode_mask_image(). When decoding a HEIF file containing a mask image (mski), the function copies the full iloc extent data into a pixel buffer using memcpy(dst, data.data(), data.size()). The copy length data.size() is determined by the iloc extent in the file (attacker-controlled), while the destination buffer is sized based on the declared image dimensions. Because no upper-bound check exists on the data length, a crafted file whose iloc extent exceeds the pixel buffer allocation overflows the heap. The vulnerable single-memcpy branch is reached when the mskC property specifies bits_per_pixel = 8 and the ispe property declares an even width ≥ 64 (so that stride == width), with no changes to default security limits or external codec plugins required. This issue has been fixed in version 1.22.0.

AnalysisAI

Heap buffer overflow in libheif versions 1.21.2 and below allows remote attackers to corrupt memory via a maliciously crafted HEIF file containing a mask image (mski) box. The flaw resides in MaskImageCodec::decode_mask_image(), where an attacker-controlled iloc extent length is memcpy'd into an undersized pixel buffer with no upper-bound validation, yielding heap corruption when a user opens the file. …

RemediationAI

Within 24 hours: Identify systems running libheif 1.21.2 or earlier and assess business dependency on HEIF file processing. Within 7 days: Implement interim controls-disable HEIF support where not critical, sandbox image processing services, restrict HEIF file uploads to trusted internal sources only. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory