CVE-2026-32738

medium

Published 2026-05-19 · Modified 2026-05-20

CVSS v3

6.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CVSS v2

—

VIR risk

6.5

Description

libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and below, a crafted 792-byte HEIF sequence file with samples_per_chunk=0 in the stsc box causes an unsigned integer underflow in the Chunk constructor (m_last_sample = 0 + 0 - 1 = UINT32_MAX), mapping all samples to an empty chunk and resulting in a denial of service. When any sample is accessed, the library reads from index 0 of an empty std::vector, causing a guaranteed SEGV (null-page read). The file parses successfully without producing an error; the crash occurs on the first frame access. This issue has been fixed in version 1.22.0.

Predictions

Exploit likelihood

75%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2026-32738.html

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2026-32738

vendor Authored 2026-05-27

Vendor advisory: security-advisories@github.com — https://github.com/strukturag/libheif/security/advisories/GHSA-7f2h-cmpf-v9ww

OS impact

OS	Version	Status
debian	bookworm	affected
debian	bullseye	affected
debian	forky	affected
debian	sid	affected
debian	trixie	affected
sles		affected

Application impact

Vendor	Product	Versions	Fixed
struktur	libheif	`{"endExcluding":"1.22.0"}`	`1.22.0`

References

CWEs

CWE-125 CWE-476

Verify integrity in audit chain (admin only). AS-IS.