PatchSiren cyber security CVE debrief
CVE-2026-32814 strukturag CVE debrief
CVE-2026-32814 affects libheif versions 1.21.2 and earlier when decoding HEIF grid images with the default strict_decoding=false setting. A corrupted tile can fail without an error, leaving part of the output canvas unwritten and exposing uninitialized heap memory as decoded pixel data. The library still returns heif_error_Ok, so callers may trust output that contains heap garbage. The issue is fixed in libheif 1.22.0.
- Vendor
- strukturag
- Product
- libheif
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-19
- Original CVE updated
- 2026-05-20
- Advisory published
- 2026-05-19
- Advisory updated
- 2026-05-20
Who should care
Teams that process untrusted HEIF or AVIF uploads using libheif, especially server-side thumbnailers, media pipelines, CDN image transcoders, and applications that decode grid-based images with default settings.
Technical summary
The source description says the decoder allocates the canvas without zero-initializing it, and only the alpha plane is explicitly filled. If a tile in a HEIF grid image is corrupted and silently fails under strict_decoding=false, the corresponding region is never written. The Y, Cb, and Cr planes can therefore retain prior heap contents and be returned to the caller as image pixel data. The supplied CVSS vector indicates network attackability with required user interaction and confidentiality impact only: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N.
Defensive priority
High for any environment that decodes user-supplied HEIF/AVIF content with libheif <= 1.21.2, because the flaw can leak memory contents into otherwise trusted image outputs.
Recommended defensive actions
- Upgrade libheif to 1.22.0 or later.
- Treat all HEIF/AVIF files as untrusted input and reprocess them after upgrading.
- If immediate upgrade is not possible, avoid decoding grid-based images from untrusted sources or disable workflows that depend on strict_decoding=false behavior.
- Add validation and monitoring for unexpected decode success on malformed inputs, and verify downstream pipelines do not publish decoded output without trust checks.
- Review any service that converts uploaded HEIF/AVIF files into PNG, JPEG, or thumbnails for possible cross-tenant data exposure.
Evidence notes
The supplied CVE description states the flaw occurs in libheif 1.21.2 and earlier and is fixed in 1.22.0. The official GitHub advisory and release tag are included in the source references. The NVD source item lists vulnStatus as Deferred and provides the CVSS v3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. Weaknesses listed in the source item include CWE-200 and CWE-908.
Official resources
Published in the source corpus on 2026-05-19T21:16:42.223Z and modified on 2026-05-20T14:16:41.740Z. The NVD source item is marked Deferred. Use the published date from the CVE/timeline fields as the disclosure date.