CVE-2026-32740 Overview
CVE-2026-32740 is a heap buffer overflow write vulnerability in libheif, a widely deployed HEIF and AVIF file format decoder and encoder maintained by struktur. Versions 1.21.2 and earlier mishandle grid tile compositing when decoding a HEIF or AVIF file containing a 1×4 grid of odd-height tiles. An attacker can write 64 bytes of fully attacker-controlled chroma pixel data past the end of a chroma plane heap allocation. The overflow triggers during normal image decoding under the default build configuration, requiring only that a victim open or process a crafted image.
Critical Impact
Remote attackers can corrupt heap memory with controlled bytes by delivering a malicious HEIF or AVIF file, enabling potential code execution in any application that decodes untrusted images with libheif.
Affected Products
- struktur libheif versions 1.21.2 and prior
- Applications and operating systems bundling vulnerable libheif builds for HEIF or AVIF decoding
- Image processing pipelines, browsers, and thumbnailers that link against libheif
Discovery Timeline
- 2026-05-19 - CVE-2026-32740 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-32740
Vulnerability Analysis
The flaw is an out-of-bounds heap write classified as [CWE-787]. It resides in the grid tile compositing path of libheif, which assembles multiple tiles into a single decoded image. When a HEIF or AVIF file declares a 1×4 grid composed of tiles with odd-numbered heights, the compositor miscalculates the destination size of the chroma (Cb/Cr) planes relative to the source tile data. As a result, 64 bytes beyond the allocated chroma plane buffer receive attacker-supplied chroma pixel values during the copy.
Because the overwritten bytes originate from the attacking tile, the adversary controls every byte of the overflow. This control is significant on heap allocators where adjacent metadata or function pointers can be groomed into predictable positions. Exploitation requires no authentication, occurs over a network attack vector, and only depends on a user opening or rendering a crafted file.
Root Cause
The root cause is incorrect dimension handling for chroma subsampling when grid tiles have odd heights. Chroma planes in subsampled formats such as 4:2:0 are half the height of luma planes, and rounding errors on odd tile heights cause the compositor to write more chroma rows than were allocated. The 1×4 grid layout amplifies the rounding mismatch into a deterministic 64-byte overflow.
Attack Vector
An attacker crafts a HEIF or AVIF file with a 1×4 grid of odd-height tiles and delivers it through email attachments, web pages, messaging platforms, or cloud file shares. When the victim's application decodes the image using vulnerable libheif, the chroma plane overflow occurs without any further interaction. Exploitation requires user interaction limited to opening or previewing the file. The vulnerability does not require elevated privileges on the target system.
No public exploit or proof-of-concept code is currently available. Technical details are described in the GitHub Security Advisory GHSA-frfr-f3vg-2g6j.
Detection Methods for CVE-2026-32740
Indicators of Compromise
- HEIF or AVIF files declaring a 1×4 grid configuration with tiles of odd pixel height
- Crashes, aborts, or AddressSanitizer reports in processes linking libheif versions 1.21.2 or earlier
- Unexpected child processes spawned by image viewers, thumbnailers, or browsers after opening .heic, .heif, or .avif files
Detection Strategies
- Inventory all software that bundles or dynamically links libheif and compare versions against the patched 1.22.0 release
- Inspect HEIF and AVIF files at email and web gateways for grid box configurations declaring a 1×4 layout with odd tile heights
- Hunt for process crashes in image-rendering services that correlate with HEIF or AVIF file access events
Monitoring Recommendations
- Enable crash telemetry and core dump collection on workstations and servers that decode user-supplied images
- Monitor file ingestion pipelines for .heic, .heif, and .avif files originating from untrusted sources
- Alert on anomalous memory access violations in long-running media processing daemons
How to Mitigate CVE-2026-32740
Immediate Actions Required
- Upgrade libheif to version 1.22.0 or later on all systems and rebuild downstream applications that statically link the library
- Apply vendor updates from operating system distributions that ship libheif as a package
- Restrict ingestion of HEIF and AVIF files from untrusted sources until patching is complete
Patch Information
The maintainers fixed the issue in libheif1.22.0. See the GitHub libheif Release v1.22.0 for upgrade artifacts and the GitHub Security Advisory GHSA-frfr-f3vg-2g6j for authoritative remediation guidance.
Workarounds
- Disable HEIF and AVIF decoding in applications that allow format selection until the patched library is deployed
- Sandbox image decoding processes with seccomp, AppArmor, or equivalent controls to contain memory corruption
- Strip or reject HEIF and AVIF attachments at email and web proxies for high-risk user populations
# Verify the installed libheif version on Linux systems
dpkg -l | grep libheif
rpm -qa | grep libheif
pkg-config --modversion libheif
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
