CVE-2026-32882 Overview
CVE-2026-32882 is a heap buffer over-read vulnerability in libheif, a widely deployed HEIF and AVIF file format decoder and encoder. The flaw resides in HeifPixelImage::overlay() within libheif/pixelimage.cc and affects versions 1.21.2 and earlier. The issue [CWE-125] occurs when compositing an overlay image (iovl) whose child image uses a different bit depth for the alpha channel than for the color channels. The function indexes into the alpha plane using in_stride instead of alpha_stride, reading past the end of the alpha buffer. A crafted HEIF file can crash the decoder or disclose adjacent heap memory through bytes embedded in decoded output pixels.
Critical Impact
Attackers can crash applications processing untrusted HEIF files and potentially leak adjacent heap memory contents into rendered pixel data.
Affected Products
- libheif versions 1.21.2 and prior
- Applications and libraries embedding vulnerable libheif builds for HEIF/AVIF decoding
- Downstream image processing pipelines and viewers that decode untrusted HEIF content
Discovery Timeline
- 2026-05-19 - CVE-2026-32882 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-32882
Vulnerability Analysis
The defect lives in HeifPixelImage::overlay(), the routine responsible for compositing overlay images defined by the HEIF iovl derived image item. libheif stores color and alpha planes independently, and each plane carries its own stride value returned during buffer setup. The vulnerable code retrieves alpha_stride for the alpha plane but then uses in_stride, the color plane stride, when computing offsets into the alpha buffer.
When the alpha channel uses a different bit depth than the color channels, the two strides diverge. For a 100×50 image with 10-bit color and 8-bit alpha, the mismatched indexing reads up to 3,123 bytes past the end of the alpha buffer. The over-read bytes are then written into the composited output image, exposing whatever heap data resides adjacent to the alpha allocation.
Root Cause
The root cause is incorrect stride selection during pixel indexing. libheif treats color and alpha planes as having matched layouts when they do not. The function should index the alpha plane with alpha_stride, but instead reuses in_stride from the color plane. This produces out-of-bounds reads whenever bit depths or layouts differ between channels.
Attack Vector
Exploitation requires the victim to open or process a crafted HEIF file. The attack vector is network-reachable because HEIF files are commonly transferred over the web, email, and messaging platforms. User interaction is required to trigger decoding. Successful exploitation produces a denial of service through process crash or leaks heap memory bytes embedded in the decoded pixel output, which an attacker can recover when the rendered image is returned, displayed, or re-encoded.
No public proof-of-concept code has been released. Technical details are described in the GitHub Security Advisory GHSA-hg7q-rjr2-8x46.
Detection Methods for CVE-2026-32882
Indicators of Compromise
- Unexpected crashes or segmentation faults in processes linking libheif when handling HEIF or AVIF content
- HEIF files containing iovl derived image items with mismatched color and alpha bit depths
- Rendered output images that contain noise patterns or anomalous pixel regions not present in legitimate source content
Detection Strategies
- Inventory all applications and container images that bundle libheif and flag any build at version 1.21.2 or earlier
- Apply static and software composition analysis to identify vulnerable libheif builds in third-party dependencies
- Inspect inbound HEIF files for iovl items where alpha and color plane bit depths differ, as this is required to trigger the over-read
Monitoring Recommendations
- Monitor endpoint and server processes for repeated crashes in image decoding pipelines that handle user-supplied HEIF files
- Alert on anomalous memory access faults raised by AddressSanitizer or production crash reporters in libheif call stacks
- Track HEIF and AVIF file processing telemetry from upload, messaging, and conversion services for spikes in malformed-image errors
How to Mitigate CVE-2026-32882
Immediate Actions Required
- Upgrade libheif to version 1.22.0 or later across all systems, container images, and packaged applications
- Rebuild and redeploy downstream software that statically links libheif after upgrading the library
- Restrict acceptance of HEIF and AVIF files from untrusted sources until patched builds are in place
Patch Information
The fix is included in libheif 1.22.0. The corrected code uses alpha_stride when indexing the alpha plane in HeifPixelImage::overlay(). Release artifacts and changelog details are available in the libheif 1.22.0 release notes.
Workarounds
- Disable HEIF and AVIF decoding in applications that cannot be patched immediately
- Process untrusted HEIF files inside sandboxed or isolated workers so a crash or memory disclosure cannot reach the parent process
- Strip or reject files containing overlay (iovl) derived image items at the perimeter using image-aware filtering
# Verify installed libheif version on Linux
heif-info --version
# Debian/Ubuntu upgrade example
sudo apt update && sudo apt install --only-upgrade libheif1
# Confirm fixed version is 1.22.0 or later
dpkg -l | grep libheif
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
