PatchSiren cyber security CVE debrief
CVE-2026-32740 strukturag CVE debrief
CVE-2026-32740 is a high-severity heap-buffer-overflow write in libheif’s grid tile compositing path. A crafted HEIF/AVIF file with a 1×4 grid of odd-height tiles can trigger a write of attacker-controlled chroma data past the end of a heap allocation during normal decoding. The issue affects libheif 1.21.2 and earlier and is fixed in 1.22.0.
- Vendor
- strukturag
- Product
- libheif
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-19
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-19
- Advisory updated
- 2026-05-21
Who should care
Teams that decode HEIF or AVIF content with libheif should care, especially image-processing services, document/media pipelines, desktop applications, and any software that accepts untrusted user-uploaded images.
Technical summary
NVD classifies the issue as CWE-787. The vulnerability is a heap-buffer-overflow (write) in grid tile compositing. According to the supplied description, a specially crafted HEIF/AVIF file using a 1×4 grid of odd-height tiles can cause libheif to write 64 bytes of fully attacker-controlled chroma (Cb/Cr) data beyond the end of a chroma-plane heap allocation. The trigger occurs during normal decoding with the default build configuration. The vulnerable version range in the NVD record ends before 1.22.0.
Defensive priority
High. This is a remotely triggerable decoding flaw with no privileges required and user interaction required only in the sense that a victim must open or process a malicious file. The combination of memory corruption, attacker-controlled overwrite content, and broad exposure in image handling makes timely patching important.
Recommended defensive actions
- Upgrade libheif to version 1.22.0 or later.
- Confirm any bundled or vendored libheif copies are updated, including dependencies in media-processing stacks.
- Treat untrusted HEIF/AVIF files as high risk until patched and consider temporary upload or parsing restrictions where practical.
- Rebuild and redeploy any applications that statically link or ship libheif internally.
- Verify your detection and inventory tools can identify libheif versions at or below 1.21.2.
- Monitor downstream vendors or packages that embed libheif for coordinated updates.
Evidence notes
The debrief is based only on the supplied CVE record and official references: the NVD CVE entry, the CVE record, the libheif 1.22.0 release notes, and the linked GitHub security advisory. The supplied NVD metadata identifies the weakness as CWE-787 and lists the vulnerable version range as ending before 1.22.0. No KEV listing was provided.
Official resources
-
CVE-2026-32740 CVE record
CVE.org
-
CVE-2026-32740 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Release Notes
-
Mitigation or vendor reference
[email protected] - Exploit, Vendor Advisory
Published in the supplied source record on 2026-05-19 and modified on 2026-05-20. No Known Exploited Vulnerabilities listing was provided in the supplied data.