CVE-2025-68431 Overview
CVE-2025-68431 is an out-of-bounds read vulnerability in libheif, an open-source library for decoding and encoding HEIF and AVIF image file formats. The vulnerability exists in the HeifPixelImage::overlay() function, where a specially crafted HEIF file containing malicious overlay image items can trigger a heap buffer over-read condition. When processing overlay boxes (iovl), the function incorrectly computes a negative row length—likely stemming from an unclipped overlay rectangle or invalid offsets—which subsequently underflows when converted to size_t and is passed to memcpy. This results in an extremely large read operation past the end of the source memory plane, causing application crashes and potential information disclosure.
Critical Impact
This vulnerability allows remote attackers to crash applications using libheif by providing a maliciously crafted HEIF/AVIF image, leading to denial of service. The out-of-bounds read could also potentially leak sensitive memory contents.
Affected Products
- struktur libheif versions prior to 1.21.0
- Applications and services integrating libheif for HEIF/AVIF image processing
- Image viewers, converters, and content management systems using the vulnerable library
Discovery Timeline
- 2025-12-29 - CVE-2025-68431 published to NVD
- 2026-02-25 - Last updated in NVD database
Technical Details for CVE-2025-68431
Vulnerability Analysis
The vulnerability resides in the overlay image composition logic within libheif's pixelimage.cc file. When processing HEIF images containing overlay image items (iovl boxes), the HeifPixelImage::overlay() function performs memory copy operations to composite multiple image layers. The flaw manifests when the function calculates the copy width for non-alpha pixel data transfers.
The original code computed the copy width as in_w - in_x0, which could produce a negative value when the input coordinates are improperly validated or when overlay rectangles extend beyond expected boundaries. In C/C++, when this negative signed integer is implicitly converted to an unsigned size_t type for the memcpy length parameter, integer underflow occurs. This transforms a small negative value into an astronomically large positive value, instructing memcpy to read far beyond the allocated source buffer boundaries.
Root Cause
The root cause is improper input validation and an incorrect copy width calculation in the overlay image processing code path. The vulnerability stems from the subtraction operation in_w - in_x0 which fails to account for cases where in_x0 could exceed in_w, or where the overlay rectangle parameters are maliciously crafted. The lack of boundary checks before the memcpy operation allows the integer underflow to propagate into a critical memory operation.
Attack Vector
An attacker can exploit this vulnerability by crafting a malicious HEIF or AVIF image file with specially constructed overlay image item (iovl) boxes containing invalid offsets or dimensions. When a victim application or service attempts to decode this malicious image using a vulnerable version of libheif, the following attack flow occurs:
- The malicious image is provided to the target via email attachment, web upload, messaging application, or any image processing workflow
- libheif parses the HEIF container and encounters the overlay image item
- The HeifPixelImage::overlay() function is invoked with attacker-controlled overlay parameters
- The copy width calculation produces a negative value that underflows to a massive unsigned value
- The subsequent memcpy reads past the source buffer, causing a crash or potential memory disclosure
if (!has_alpha) {
memcpy(out_p + out_x0 + (out_y0 + y - in_y0) * out_stride,
in_p + in_x0 + y * in_stride,
- in_w - in_x0);
+ in_w);
}
else {
for (uint32_t x = in_x0; x < in_w; x++) {
Source: GitHub Commit
The patch corrects the copy width calculation by using in_w directly instead of the subtraction that could produce negative values.
Detection Methods for CVE-2025-68431
Indicators of Compromise
- Unexpected application crashes or segmentation faults when processing HEIF/AVIF images
- Increased crash reports in image processing services or applications
- HEIF files containing unusual or malformed iovl (overlay) box structures
- Memory access violation errors in logs related to libheif operations
Detection Strategies
- Monitor for application crashes with stack traces pointing to HeifPixelImage::overlay() or libheif overlay processing functions
- Implement file integrity checks and input validation for HEIF/AVIF images before processing
- Deploy endpoint detection rules to identify exploitation attempts targeting image processing components
- Use SentinelOne's behavioral AI to detect anomalous memory access patterns during image decoding operations
Monitoring Recommendations
- Enable crash dump collection and analysis for applications using libheif to identify exploitation attempts
- Implement logging for image processing operations, particularly for files containing overlay structures
- Monitor system resource usage for abnormal memory read patterns that may indicate out-of-bounds access attempts
- Configure alerts for repeated crash events in image handling services that could indicate active exploitation
How to Mitigate CVE-2025-68431
Immediate Actions Required
- Upgrade libheif to version 1.21.0 or later immediately across all systems
- Audit applications and services for libheif dependencies and prioritize patching
- Implement input validation to reject or quarantine suspicious HEIF/AVIF files pending analysis
- Consider temporarily disabling overlay image processing if patching cannot be immediately applied
Patch Information
The vulnerability has been addressed in libheif version 1.21.0. The fix corrects the copy width calculation in libheif/pixelimage.cc by changing the memcpy length from in_w - in_x0 to in_w, eliminating the integer underflow condition. Organizations should update to version 1.21.0 or later as soon as possible.
Patch details:
- Fixed Version: 1.21.0
- Commit: b8c12a7b70f46c9516711a988483bed377b78d46
- Release: GitHub Release v1.21.0
- Security Advisory: GHSA-j87x-4gmq-cqfq
Workarounds
- Avoid decoding images that use iovl overlay boxes until the library can be updated
- Implement pre-processing filters to strip or reject HEIF files containing overlay image items
- Deploy sandboxed or isolated environments for processing untrusted image files
- Use network-level controls to filter incoming HEIF/AVIF files from untrusted sources
# Check current libheif version
pkg-config --modversion libheif
# Update libheif on Debian/Ubuntu systems
sudo apt update && sudo apt install libheif-dev
# Build from source for version 1.21.0
git clone https://github.com/strukturag/libheif.git
cd libheif
git checkout v1.21.0
mkdir build && cd build
cmake ..
make && sudo make install
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
