CVE-2026-32739 Overview
CVE-2026-32739 is an infinite loop vulnerability [CWE-835] in libheif, an open-source HEIF and AVIF file format decoder and encoder maintained by struktur. Versions 1.21.2 and below contain a flaw in the Box_stts::get_sample_duration() function. A crafted 800-byte HEIF sequence file triggers an unbounded loop during file parsing, consuming 100% CPU indefinitely with zero progress. The condition occurs at file open before any decoding or user interaction. The process remains alive with no crash and no error logged, making it invisible to crash-based monitoring. The issue is fixed in version 1.22.0.
Critical Impact
A single malicious 800-byte HEIF file can pin a CPU core at 100% utilization indefinitely, enabling denial of service against any application that parses untrusted HEIF input through libheif.
Affected Products
- struktur libheif versions 1.21.2 and earlier
- Applications embedding libheif for HEIF/AVIF parsing
- Image processing pipelines and thumbnailers that auto-parse HEIF sequence files
Discovery Timeline
- 2026-05-19 - CVE-2026-32739 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-32739
Vulnerability Analysis
The vulnerability resides in Box_stts::get_sample_duration(), a function that calculates sample durations from the stts (sample-to-time) box of an HEIF sequence container. The parsing logic iterates through sample entries without enforcing an upper bound on iterations or a wall-clock timeout. A crafted stts box causes the loop counter or index to never reach its terminating condition, producing an infinite loop.
Because the defect triggers during the parse phase rather than during image decoding, exploitation does not require the victim to render or view the image. Any code path that opens the file for metadata inspection is sufficient. The process does not crash, allocate excessive memory, or emit error output, which prevents detection by watchdogs that rely on segmentation faults or memory pressure signals.
The attack is categorized as CPU exhaustion denial of service. Repeated submission of the malicious file to a multi-process service can exhaust all worker threads or processes.
Root Cause
The root cause is missing loop termination validation in the stts box parser. The function trusts the sample count and duration fields encoded in the file without verifying that the iteration will make forward progress or complete within a finite number of steps. This maps to [CWE-835] Loop with Unreachable Exit Condition.
Attack Vector
The attack vector is network-based with user interaction required. An attacker hosts or delivers a malicious HEIF sequence file as small as 800 bytes. When the file reaches an application that uses libheif to parse it, such as a web upload handler, a desktop image viewer, a chat client thumbnailer, or a server-side media converter, the parser enters the infinite loop. No authentication or elevated privileges are required.
The vulnerability mechanism is described in the GitHub Security Advisory GHSA-j9g7-q9hv-gq8c. No public exploit code is currently available.
Detection Methods for CVE-2026-32739
Indicators of Compromise
- A process linked against libheif sustaining 100% CPU on a single core after opening an HEIF file
- HEIF or HEIC files near 800 bytes in size submitted to upload endpoints or media processors
- Worker processes that hang during file ingestion without producing log output or exit codes
Detection Strategies
- Monitor CPU utilization per process and alert when an image-handling worker holds a core at 100% beyond a defined threshold
- Inspect HEIF file metadata before passing files to libheif and reject malformed stts boxes with implausible sample counts
- Correlate inbound file uploads with downstream process resource usage to identify single-file CPU spikes
Monitoring Recommendations
- Enforce per-request CPU and wall-clock timeouts on any service that invokes libheif for parsing
- Track the version of libheif deployed across hosts and containers using software composition analysis tooling
- Log file hashes of HEIF inputs that trigger worker timeouts to support retroactive triage
How to Mitigate CVE-2026-32739
Immediate Actions Required
- Upgrade libheif to version 1.22.0 or later across all systems, containers, and bundled application dependencies
- Audit applications that embed libheif statically and rebuild them against the patched release
- Apply execution timeouts to any media parsing worker that processes untrusted HEIF or AVIF input
Patch Information
The fix is included in libheif version 1.22.0. Release notes and source artifacts are available at the GitHub Release v1.22.0 page. Distribution maintainers should pull the upstream patch into supported package channels. The full advisory is published at the GitHub Security Advisory GHSA-j9g7-q9hv-gq8c.
Workarounds
- Disable HEIF and AVIF parsing in user-facing services until the patched library is deployed
- Wrap libheif calls in a watchdog that terminates the parsing process after a fixed CPU-time budget
- Restrict accepted HEIF file sizes and reject inputs that fail a pre-parse structural sanity check
# Configuration example: enforce a CPU-time limit on a libheif parsing worker
# using systemd to bound runaway processes triggered by malicious input
[Service]
CPUQuota=50%
RuntimeMaxSec=10
MemoryMax=256M
TasksMax=16
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
