PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-32882 strukturag CVE debrief

CVE-2026-32882 is a heap buffer over-read in libheif’s overlay compositing path. A crafted HEIF file can trigger the flaw when the child image uses a different alpha-channel bit depth than its color channels. The issue can crash the decoder and may also leak adjacent heap data into output pixels. The vulnerability affects libheif 1.21.2 and earlier and is fixed in 1.22.0.

Vendor
strukturag
Product
libheif
CVSS
HIGH 7.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-19
Original CVE updated
2026-05-20
Advisory published
2026-05-19
Advisory updated
2026-05-20

Who should care

Teams that ship or embed libheif, especially software that opens untrusted HEIF or AVIF files, should treat this as important. That includes application maintainers, distro/package managers, security teams, and anyone running image-processing services that decode user-supplied media.

Technical summary

According to the CVE description and GitHub advisory/release references, the flaw is in HeifPixelImage::overlay() in libheif/pixelimage.cc. When compositing an overlay image (iovl), if the child image’s alpha channel has a different bit depth from the color channels, the function uses the color-channel stride (in_stride) while indexing the alpha plane instead of the previously obtained alpha_stride. That mismatch can read past the end of the alpha buffer, with the supplied description estimating reads of up to 3,123 bytes for a 100×50 image using 10-bit color and 8-bit alpha. The result is a heap over-read consistent with CWE-125, with denial-of-service and limited memory-disclosure impact.

Defensive priority

High. The vulnerability is publicly disclosed, has a direct fix available in libheif 1.22.0, and can be triggered by crafted files in a common media-parsing path.

Recommended defensive actions

  • Upgrade libheif to version 1.22.0 or later everywhere it is bundled or installed.
  • Inventory products and services that depend on libheif and verify the shipped package version, including transitive dependencies.
  • Prioritize patching systems that process untrusted HEIF or AVIF content, such as upload pipelines, converters, and thumbnailing services.
  • Treat unexpected crashes or malformed-pixel output during HEIF/AVIF decoding as a signal to investigate exposure to this bug.
  • Add or expand regression tests around overlay compositing paths, especially mixed bit-depth alpha/color cases, to prevent reintroduction.

Evidence notes

The source corpus identifies CVE-2026-32882 as a libheif issue fixed in release 1.22.0 and references the GitHub security advisory GHSA-hg7q-rjr2-8x46. NVD metadata lists CVSS v3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H, CWE-125, and vulnStatus Deferred at the time of the supplied modified record. PublishedAt for the CVE is 2026-05-19T21:16:42.363Z and ModifiedAt is 2026-05-20T18:16:26.880Z.

Official resources

Publicly disclosed on 2026-05-19. The supplied NVD record was modified on 2026-05-20 and lists vulnStatus as Deferred. No KEV entry was supplied in the corpus.