PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-32741 strukturag CVE debrief

CVE-2026-32741 describes a heap buffer overflow in libheif’s mask image decoding path. A crafted HEIF file containing a mask image can cause MaskImageCodec::decode_mask_image() to copy attacker-controlled extent data into a destination buffer that was sized from the declared image dimensions, creating a heap overwrite. The issue is fixed in libheif 1.22.0.

Vendor
strukturag
Product
libheif
CVSS
HIGH 7.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-19
Original CVE updated
2026-05-20
Advisory published
2026-05-19
Advisory updated
2026-05-20

Who should care

Security, platform, and application teams that use libheif directly or indirectly in services that accept untrusted HEIF/AVIF content, including upload pipelines, media processing backends, and client applications that open user-supplied images.

Technical summary

In affected versions (1.21.2 and below), decoding a HEIF mask image (mski) can reach a single memcpy(dst, data.data(), data.size()) branch in MaskImageCodec::decode_mask_image(). The source length comes from the iloc extent in the file, which is attacker-controlled, while the destination buffer is allocated according to the declared image dimensions. When the file’s mskC property uses bits_per_pixel = 8 and the ispe property declares an even width of at least 64, the stride matches the width and no additional security-limit or external-plugin changes are required for the vulnerable copy to occur. The result is a heap buffer overflow categorized as CWE-122.

Defensive priority

High for any system that parses untrusted HEIF/AVIF files. Prioritize internet-facing upload services and applications where a crafted image could be processed automatically. The source record reports CVSS 7.1 (HIGH), with memory corruption affecting availability and some integrity impact.

Recommended defensive actions

  • Upgrade libheif to version 1.22.0 or later.
  • Inventory products and services that bundle or statically link libheif, including transitive dependencies.
  • Treat untrusted HEIF/AVIF decoding as a high-risk operation until patched; isolate it with sandboxing or process separation where feasible.
  • Validate that deployed packages and containers do not still ship libheif 1.21.2 or earlier.
  • Track vendor and upstream advisories for any downstream products that embed libheif.

Evidence notes

The CVE record was published on 2026-05-19T21:16:42.073Z and modified on 2026-05-20T17:16:21.133Z. The supplied NVD source item marks the vulnStatus as Deferred and lists CVSS v3.1 vector AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H with CWE-122. The supplied official references point to the libheif 1.22.0 release and the GitHub Security Advisory GHSA-j3w5-7whq-p37q, both used here as the basis for the fixed-version and vulnerability description.

Official resources

Publicly disclosed on 2026-05-19 via the CVE record and the linked GitHub advisory/release references; the NVD record was updated on 2026-05-20.