What is the CVSS score of CVE-2026-32882?

CVE-2026-32882 has a CVSS 3.1 base score of 7.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H. EPSS exploitation probability: 0.0%.

Which versions of libheif are affected by CVE-2026-32882?

libheif library versions 1.21.2 and earlier contain a high-severity heap buffer over-read vulnerability in image overlay processing that allows remote attackers to crash applications or leak…. A patch is available.

libheif CVE-2026-32882

EUVD-2026-30981 HIGH

Out-of-bounds Read (CWE-125)

2026-05-19 GitHub_M

Buffer Overflow Denial Of Service Information Disclosure Red Hat Suse

7.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

High

Lifecycle Timeline

Patch available

May 19, 2026 - 21:02 EUVD

Source Code Evidence Fetched

May 19, 2026 - 20:45 vuln.today

Analysis Generated

May 19, 2026 - 20:45 vuln.today

DescriptionNVD

libheif is a HEIF and AVIF file format decoder and encoder. Versions 1.21.2 and prior contain a heap buffer over-read in HeifPixelImage::overlay() in libheif/pixelimage.cc. When compositing an overlay image (iovl) whose child image has a different bit depth for the alpha channel than for the color channels, the function indexes into the alpha plane using the color channel stride (in_stride) instead of the previously retrieved alpha_stride, causing reads past the end of the alpha buffer (up to 3,123 bytes for a 100×50 image with 10-bit color and 8-bit alpha). A crafted HEIF file can exploit this to cause a denial of service (crash) or potentially disclose adjacent heap memory through leaked bytes embedded in the decoded output pixels. This issue has been fixed in versionThis issue has been fixed in version 1.22.0.

AnalysisAI

Heap buffer over-read in libheif versions 1.21.2 and prior allows remote attackers to crash applications or potentially leak adjacent heap memory by supplying a crafted HEIF/AVIF file with an overlay image (iovl) whose alpha channel bit depth differs from its color channels. The flaw in HeifPixelImage::overlay() uses the color channel stride to index into the alpha plane, reading up to 3,123 bytes beyond the alpha buffer for a 100×50 image with 10-bit color and 8-bit alpha. …

RemediationAI

Within 24 hours: Identify all systems and applications using libheif versions 1.21.2 or earlier through dependency scanning and asset inventory tools. Within 7 days: Upgrade all affected instances to libheif version 1.22.0 or later and test critical image processing workflows. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory