PatchSiren cyber security CVE debrief

CVE-2026-41069 strukturag CVE debrief

## Summary libheif ≤1.21.2 contains an out-of-bounds read in its HEIF/AVIF sequence-parsing logic. A malformed file with `stco.entry_count == 0` (no chunks) but `saiz.sample_count > 0` causes the `SampleAuxInfoReader` constructor to dereference `chunks[0]` on an empty vector, resulting in denial of service. ## Affected Products - **Product:** libheif - **Versions:** 1.21.2 and prior - **Fixed in:** 1.22.0 ## Root Cause The sequence parsing code validates that `stco.entry_count` matches `saio.entry_count`, but does not prevent entry counts of zero. When both are zero, validation passes. However, if `saiz.sample_count > 0`, the `SampleAuxInfoReader` constructor still enters its processing loop and attempts to access `chunks[0]` in chunked mode, causing an out-of-bounds read on the empty chunks vector. ## Impact - **CVSS 3.1:** 6.5 (MEDIUM) - **Vector:** AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H - **Impact:** Denial of service via application crash - **Confidentiality/Integrity:** None ## Exploitation - **Attack Vector:** Network - **Attack Complexity:** Low - **Privileges Required:** None - **User Interaction:** Required (victim must open/process malicious file) - **Scope:** Unchanged An attacker can craft a malicious HEIF sequence file that triggers the vulnerability when processed by an application using libheif. ## Mitigation Upgrade to libheif 1.22.0 or later. ## References - CVE Record: CVE-2026-41069 - NVD Entry: CVE-2026-41069 - GitHub Security Advisory: GHSA-p82x-fpmv-576r - libheif 1.22.0 Release: v1.22.0 ## Timeline - **2026-05-22:** CVE published - **2026-05-26:** CVE modified