CVE-2026-32738 Overview
CVE-2026-32738 is an integer underflow vulnerability in libheif, a widely used HEIF and AVIF file format decoder and encoder maintained by struktur. The flaw exists in versions 1.21.2 and below. A crafted 792-byte HEIF sequence file with samples_per_chunk=0 in the stsc box triggers an unsigned integer underflow in the Chunk constructor. The computation m_last_sample = 0 + 0 - 1 wraps to UINT32_MAX, mapping all samples to an empty chunk. Accessing any sample then reads index 0 of an empty std::vector, causing a guaranteed segmentation fault. The issue is tracked under [CWE-125] and was fixed in version 1.22.0.
Critical Impact
A single malformed HEIF file causes a null-page read SEGV in any application using libheif, producing a reliable denial of service on first frame access.
Affected Products
- struktur libheif versions 1.21.2 and earlier
- Applications embedding libheif for HEIF or AVIF decoding
- Image processing pipelines and media servers using vulnerable libheif builds
Discovery Timeline
- 2026-05-19 - CVE-2026-32738 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-32738
Vulnerability Analysis
The vulnerability resides in the parsing of the stsc (Sample-to-Chunk) box within ISO Base Media File Format containers used by HEIF sequences. When samples_per_chunk equals zero, the Chunk constructor performs arithmetic that underflows an unsigned 32-bit integer. The resulting value UINT32_MAX is treated as a valid last-sample index. This mismatch causes every sample lookup to resolve to an empty chunk container.
Parsing itself succeeds without raising an error. The crash occurs later, when the caller requests the first frame. At that point, libheif indexes into an empty std::vector, dereferencing memory at offset zero. The result is a null-page read and process termination.
The attack requires user interaction, typically opening or processing a crafted HEIF file. The vulnerability cannot be used for code execution or data exfiltration, but it produces a reliable crash in any process consuming untrusted HEIF input.
Root Cause
The root cause is missing input validation on the samples_per_chunk field combined with unchecked unsigned arithmetic. The Chunk constructor assumes samples_per_chunk is at least 1 and subtracts 1 without guarding against the zero case. Unsigned wraparound produces a maximal index that silently corrupts internal state.
Attack Vector
An attacker delivers a 792-byte crafted HEIF sequence file through any channel that feeds libheif. Common vectors include email attachments, web image uploads, messaging clients, and thumbnail generators. When the target application calls libheif to decode the first frame, the process crashes. Server-side image processors and headless converters are particularly exposed because they often process untrusted user content automatically.
The vulnerability manifests in the Chunk constructor when handling the stsc box. See the GitHub Security Advisory GHSA-7f2h-cmpf-v9ww for technical details on the affected code path.
Detection Methods for CVE-2026-32738
Indicators of Compromise
- Repeated process crashes or SIGSEGV signals in applications calling libheif decode functions
- Core dumps showing null-page reads originating in the Chunk sample access path
- HEIF or AVIF files near 792 bytes containing an stsc box with samples_per_chunk=0
- Unexpected restarts of image processing workers handling user-uploaded media
Detection Strategies
- Inspect inbound HEIF and AVIF files for malformed stsc boxes where samples_per_chunk is zero
- Monitor application logs and crash reporters for segmentation faults inside libheif symbols
- Inventory dependencies and identify processes loading libheif.so versions at or below 1.21.2
- Apply file format validation at upload boundaries before passing media to decoder libraries
Monitoring Recommendations
- Track crash telemetry for image processing services and correlate with recent file uploads
- Alert on abnormal restart rates for thumbnailers, mail scanners, and media transcoders
- Log libheif version strings during application startup to confirm patch state across the fleet
How to Mitigate CVE-2026-32738
Immediate Actions Required
- Upgrade libheif to version 1.22.0 or later across all systems and container images
- Audit downstream packages and language bindings such as pyheif and libheif-rs for bundled vulnerable copies
- Restrict server-side HEIF and AVIF processing to validated input until patches are deployed
- Isolate image decoding workers in sandboxed processes with automatic restart on crash
Patch Information
The maintainers fixed the issue in libheif 1.22.0. The patch adds validation for the samples_per_chunk field in the stsc box parser, preventing the unsigned underflow. Refer to the libheif GitHub Security Advisory GHSA-7f2h-cmpf-v9ww for the official advisory and commit references.
Workarounds
- Reject HEIF and AVIF files outside expected size ranges or with malformed stsc boxes at the application gateway
- Run libheif consumers under process supervisors that restart on SIGSEGV to maintain availability
- Disable HEIF and AVIF decoding in non-essential services until patched versions are deployed
# Verify installed libheif version on Linux
ldconfig -p | grep libheif
dpkg -l | grep libheif # Debian/Ubuntu
rpm -q libheif # RHEL/Fedora
# Upgrade to patched release
apt-get update && apt-get install --only-upgrade libheif1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
