Critical Vulnerability Information Vulnerability Title Potential heap-based buffer overflow when attempting to convert multiband TIFF input to HEIF output Severity Level: High (7.0/10) CVE ID: CVE-2025-29769 Weakness Type: CWE-122 Affected Scope Affected Versions: = 8.16.1 Description and Impact The operation could incorrectly determine the presence of an alpha channel in an input when the color interpretation could not be determined, a condition internally referred to in libvips as "multiband". While there are few ways to create a "multiband" input, it is possible using a carefully crafted TIFF image. If a "multiband" TIFF input image had 4 channels and HEIF output was requested, libvips would create a 3-channel HEIF image without an alpha channel, but then attempt to write 4 channels of data. This resulted in a heap buffer overflow, potentially crashing the process. Fix Details Patch: 9ab6784 Mitigation A possible workaround for users of libvips prior to version 8.16.1 is to block the operation using , which is available in most language bindings. References https://issues.oss-fuzz.com/issues/396460413 #4392 #4394