Skip to main content

libheif CVE-2026-41071

MEDIUM
Out-of-bounds Read (CWE-125)
2026-05-22 GitHub_M
Information Disclosure Buffer Overflow Libheif
5.1
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
8.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

4
Source Code Evidence Fetched
Jun 08, 2026 - 13:44 vuln.today
Analysis Generated
Jun 08, 2026 - 13:44 vuln.today
CVSS changed
May 26, 2026 - 20:07 NVD
5.1 (MEDIUM)
CVE Published
May 22, 2026 - 20:59 nvd
UNKNOWN (no severity yet)

DescriptionGitHub Advisory

libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and prior, a crafted HEIF sequence file where the saiz box declares more samples than actually exist in the track's chunk table causes a heap-buffer-overflow (out-of-bounds read) in the SampleAuxInfoReader constructor. The SampleAuxInfoReader constructor iterates over saiz->get_num_samples() samples but doesn't validate that this count is consistent with the number of chunks in the chunks vector. When saiz declares more samples than the chunks cover, the loop increments current_chunk past chunks.size(), causing an out-of-bounds read on the chunks vector. The vulnerability is triggered during file parsing (heif_context_read_from_file) without any additional user interaction. Any application using libheif to open untrusted HEIF files is affected. This issue has been fixed in version 1.22.0.

AnalysisAI

Heap-buffer-overflow in libheif 1.21.2 and prior exposes any application parsing untrusted HEIF sequence files to an out-of-bounds read during file ingestion, with potential for heap memory disclosure or process crash. The flaw is triggered the moment a victim opens a crafted file - no additional interaction beyond file opening is required - making it a practical threat in desktop image viewers, browsers, and media pipelines that embed libheif. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft HEIF sequence file with oversized saiz sample count
Delivery
Deliver file to target user via email, web, or shared storage
Exploit
User opens file in libheif-linked application
Execution
heif_context_read_from_file() instantiates SampleAuxInfoReader
Persist
Loop iterates past end of chunks vector (CWE-125)
Impact
Out-of-bounds heap read yields memory disclosure or process crash
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The victim must actively open a crafted HEIF sequence file (CVSS UI:A), making passive or zero-click exploitation impossible without an additional delivery vector. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 5.1 (Medium) is consistent with the impact profile: AV:N establishes network reachability through file delivery, AC:L and AT:N confirm no special conditions or prior foothold are needed, PR:N indicates no authentication is required, but UI:A (user must actively open the file) limits opportunistic exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a HEIF sequence file in which the saiz box reports a sample count substantially higher than the number of samples referenced in the track's chunk offset table, then distributes this file via email attachment, web download, or shared storage. When a user on an unpatched system opens the file in any libheif-linked application - an image viewer, a photo editor, or a browser with HEIF support - heif_context_read_from_file() instantiates SampleAuxInfoReader, the loop runs past the end of the chunks heap buffer, and the process either leaks adjacent heap contents (potentially exposing pointers or sensitive data) or crashes with a segmentation fault.
Remediation The primary fix is upgrading to libheif v1.22.0, available at https://github.com/strukturag/libheif/releases/tag/v1.22.0; this release adds bounds validation in the SampleAuxInfoReader constructor to ensure the saiz sample count is checked against the actual chunks vector size before iteration. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Module for Desktop Applications 15 SP7 Affected
SUSE Linux Enterprise Server 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Server for SAP Applications 15 SP7 Affected

Share

CVE-2026-41071 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy