CVE-2026-32741 Overview
CVE-2026-32741 is a heap buffer overflow [CWE-122] in libheif, an open-source HEIF and AVIF file format decoder and encoder. The flaw resides in MaskImageCodec::decode_mask_image() and affects versions 1.21.2 and earlier. When parsing a HEIF file that contains a mask image (mski), the function copies attacker-controlled iloc extent data into a fixed-size pixel buffer without validating the source length. A crafted file triggers an out-of-bounds write on the heap, enabling denial of service and potential memory corruption. The maintainers fixed the issue in version 1.22.0.
Critical Impact
Processing a malicious HEIF file with a crafted mski mask image triggers a heap overflow that can crash the host application or corrupt heap memory, with potential for code execution depending on the consuming process.
Affected Products
- libheif versions 1.21.2 and earlier
- Applications and image viewers that link against vulnerable libheif builds
- Operating system distributions shipping libheif <= 1.21.2
Discovery Timeline
- 2026-05-19 - CVE-2026-32741 published to the National Vulnerability Database (NVD)
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-32741
Vulnerability Analysis
The defect lives in MaskImageCodec::decode_mask_image() within libheif. The function performs a single memcpy(dst, data.data(), data.size()) operation to populate the decoded mask pixel buffer. The destination buffer is allocated using dimensions derived from the ispe (Image Spatial Extents) property, while data.size() is taken from the iloc (Item Location) extent declared in the file. Because the two values are never cross-checked, an attacker can declare a small image size while providing a large iloc extent, causing the copy to overrun the heap allocation.
The vulnerable single-memcpy branch is reached when the mskC property specifies bits_per_pixel = 8 and the ispe property declares an even width greater than or equal to 64, ensuring that stride == width. No changes to default security limits or external codec plugins are required to reach the sink.
Root Cause
The root cause is a missing upper-bound validation between the attacker-controlled iloc extent length and the destination pixel buffer size. The decoder trusts file-supplied metadata to size the copy operation, violating safe parsing assumptions for untrusted input.
Attack Vector
Exploitation requires the victim to open or process a malicious HEIF file with an application that uses libheif. The attack vector is remote through file delivery channels such as email, web downloads, or messaging clients. User interaction is required to trigger decoding. Confidentiality is unaffected, but integrity and availability can be compromised through heap corruption.
No synthetic exploitation code is included. Refer to the GitHub Security Advisory GHSA-j3w5-7whq-p37q for the technical write-up.
Detection Methods for CVE-2026-32741
Indicators of Compromise
- Crashes or abnormal terminations in processes that load libheif, such as image viewers, thumbnailers, or web services performing HEIF transcoding
- HEIF files where the declared iloc extent length exceeds the size implied by the ispe width and height combined with the mskCbits_per_pixel value
- Heap corruption signatures reported by AddressSanitizer or system crash telemetry referencing MaskImageCodec::decode_mask_image
Detection Strategies
- Inventory hosts and container images for libheif versions at or below 1.21.2 using software composition analysis tooling
- Inspect HEIF uploads at application boundaries and reject files whose mski extent length is inconsistent with the declared ispe dimensions
- Hunt for repeated crashes of processes invoking HEIF decoding routines across endpoint telemetry
Monitoring Recommendations
- Enable crash reporting and core dump collection on systems that process untrusted images
- Forward image-processing service logs and application crash events to a centralized SIEM for correlation
- Monitor for unusual child process behavior or memory access violations originating from image viewer and document preview workflows
How to Mitigate CVE-2026-32741
Immediate Actions Required
- Upgrade libheif to version 1.22.0 or later on all affected systems and rebuild any statically linked applications
- Identify and patch downstream applications that bundle vulnerable libheif builds, including desktop image viewers and server-side transcoders
- Restrict the processing of untrusted HEIF files until the patch is deployed across the environment
Patch Information
The maintainers fixed the heap buffer overflow in libheif version 1.22.0. Details are available in the GitHub libheif Release v1.22.0 notes and the GitHub Security Advisory GHSA-j3w5-7whq-p37q.
Workarounds
- Disable HEIF and mski mask image decoding in applications that expose configuration toggles for image format support
- Sandbox image-processing services using seccomp, AppArmor, or container isolation to limit the blast radius of heap corruption
- Pre-filter inbound HEIF files at email and web gateways, or convert them to a safer format using an isolated and patched decoder
# Verify installed libheif version on Debian/Ubuntu systems
dpkg -l | grep -i libheif
# Upgrade libheif on Debian/Ubuntu
sudo apt-get update && sudo apt-get install --only-upgrade libheif1
# Verify installed libheif version on RHEL/Fedora systems
rpm -q libheif
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
