Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1110 CNY

100%
Buy Us a Coffee

CVE-2026-32741— libheif has a heap buffer overflow in decode_mask_image()

CVSS 7.1 · High EPSS 0.03% · P10

Possible ATT&CK Techniques 1AI

T1203 · Exploitation for Client Execution

Affected Version Matrix 1

VendorProductVersion RangeStatus
strukturaglibheif< 1.22.0affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-32741

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
libheif has a heap buffer overflow in decode_mask_image()
Source: NVD (National Vulnerability Database)
Vulnerability Description
libheif is a HEIF and AVIF file format decoder and encoder. Versions 1.21.2 and below contain a heap buffer overflow in MaskImageCodec::decode_mask_image(). When decoding a HEIF file containing a mask image (mski), the function copies the full iloc extent data into a pixel buffer using memcpy(dst, data.data(), data.size()). The copy length data.size() is determined by the iloc extent in the file (attacker-controlled), while the destination buffer is sized based on the declared image dimensions. Because no upper-bound check exists on the data length, a crafted file whose iloc extent exceeds the pixel buffer allocation overflows the heap. The vulnerable single-memcpy branch is reached when the mskC property specifies bits_per_pixel = 8 and the ispe property declares an even width ≥ 64 (so that stride == width), with no changes to default security limits or external codec plugins required. This issue has been fixed in version 1.22.0.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
堆缓冲区溢出
Source: NVD (National Vulnerability Database)
Vulnerability Title
libheif 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
libheif是struktur开源的一款 ISO/IEC 23008-12:2017 HEIF 文件格式解码器和编码器。 libheif 1.21.2及之前版本存在安全漏洞,该漏洞源于MaskImageCodec::decode_mask_image()中堆缓冲区溢出,未对数据长度进行上限检查,导致memcpy复制超出目标缓冲区大小。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
strukturaglibheif < 1.22.0 -

II. Public POCs for CVE-2026-32741

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-32741

登录查看更多情报信息。

Vendor Advisories for CVE-2026-32741 (1)

Vendor Pages for CVE-2026-32741 (1)

Same Patch Batch · strukturag · 2026-05-19 · 6 CVEs total

CVE-2026-327408.8 HIGHlibheif: Heap-Buffer-Overflow Write in Grid Tile Chroma Compositing
CVE-2026-328827.1 HIGHlibheif: Heap Buffer OOB Read in overlay compositing due to wrong alpha stride
CVE-2026-327386.5 MEDIUMlibheif has a Heap OOB Read/SEGV Crash via Zero samples_per_chunk
CVE-2026-327396.5 MEDIUMlibheif is Vulnerable to Infinite Loop DoS via stts Sample Duration Lookup
CVE-2026-328146.5 MEDIUMlibheif: Uninitialized Heap Memory Information Leak via Failed Grid Tiles

IV. Related Vulnerabilities

Same product: libheif
Same vendor: strukturag
Same weakness: CWE-122

V. Comments for CVE-2026-32741

No comments yet

Leave a comment