CVE-2026-32738 strukturag CVE debrief

Who should care

Teams that use libheif to process untrusted HEIF or AVIF files should pay attention, especially image upload services, media converters, viewers, and backend pipelines that may open attacker-supplied content.

Technical summary

According to the supplied description, a crafted 792-byte HEIF sequence file sets samples_per_chunk=0 in the stsc box. That leads to an unsigned integer underflow in the Chunk constructor, producing m_last_sample = UINT32_MAX and mapping samples to an empty chunk. When a sample is accessed, libheif reads index 0 from an empty std::vector and crashes with a guaranteed SEGV/null-page read. NVD lists the issue as affecting libheif versions before 1.22.0 and assigns CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H.

Defensive priority

Medium, with higher urgency for internet-facing or user-uploaded media workflows. The impact is availability-only, but the crash is reliable once triggered and the input is remotely deliverable via a crafted file.

Recommended defensive actions

• Upgrade libheif to version 1.22.0 or later.
• Inventory applications and services that depend on libheif, including transitive dependencies.
• Treat untrusted HEIF/AVIF inputs as high risk and isolate media parsing in a constrained process or sandbox.
• Verify that deployments fail closed on parse or decoding errors rather than continuing to frame access.
• Monitor for repeated crashes in services that handle image uploads or thumbnail generation.

Evidence notes

This debrief is based only on the supplied CVE record, NVD metadata, and the linked GitHub Security Advisory. The source material states the vulnerability is fixed in 1.22.0, that the CVSS vector is AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, and that no CISA KEV entry was provided in the supplied corpus.

Official resources