CVE-2026-32738

MEDIUM 6.5

libheif has a Heap OOB Read/SEGV Crash via Zero samples_per_chunk

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

0th

libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and below, a crafted 792-byte HEIF sequence file with samples_per_chunk=0 in the stsc box causes an unsigned integer underflow in the Chunk constructor (m_last_sample = 0 + 0 - 1 = UINT32_MAX), mapping all samples to an empty chunk and resulting in a denial of service. When any sample is accessed, the library reads from index 0 of an empty std::vector, causing a guaranteed SEGV (null-page read). The file parses successfully without producing an error; the crash occurs on the first frame access. This issue has been fixed in version 1.22.0.

CWE	CWE-125 CWE-476
Vendor	strukturag
Product	libheif
Published	May 19, 2026
Last Updated	May 19, 2026

Stay Ahead of the Next One

Get instant alerts for strukturag libheif

Be the first to know when new medium vulnerabilities affecting strukturag libheif are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Affected Versions

strukturag / libheif

< 1.22.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/strukturag/libheif/security/advisories/GHSA-7f2h-cmpf-v9ww