PatchSiren cyber security CVE debrief
CVE-2026-41071 strukturag CVE debrief
A heap-buffer-overflow vulnerability in libheif versions 1.21.2 and prior allows out-of-bounds reads when parsing crafted HEIF sequence files. The root cause is a missing validation between the sample count declared in the `saiz` box and the actual number of chunks in the track's chunk table. The `SampleAuxInfoReader` constructor iterates over `saiz->get_num_samples()` without verifying this count against `chunks.size()`, leading to an out-of-bounds read when the declared sample count exceeds available chunks. This vulnerability is triggered automatically during file parsing (`heif_context_read_from_file`) without requiring user interaction, affecting any application that processes untrusted HEIF files through libheif. The issue has been resolved in version 1.22.0.
- Vendor
- strukturag
- Product
- libheif
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-22
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-22
- Advisory updated
- 2026-05-27
Who should care
Organizations and developers using libheif for HEIF/AVIF image processing in production environments, particularly those handling user-uploaded content, media processing pipelines, or automated image conversion services. Security teams managing software composition analysis (SCA) for applications with image processing dependencies should prioritize this update.
Technical summary
The vulnerability exists in the `SampleAuxInfoReader` constructor within libheif's HEIF sequence parsing code. When processing a `saiz` (Sample Auxiliary Information Sizes) box, the code retrieves the declared sample count via `saiz->get_num_samples()` and iterates through samples to populate auxiliary information. However, no validation ensures this sample count does not exceed the number of entries in the `chunks` vector populated from the track's chunk table. A malformed HEIF file with a `saiz` box declaring more samples than actual chunks causes the loop index `current_chunk` to increment past `chunks.size()`, resulting in an out-of-bounds read on the vector. The crash occurs during `heif_context_read_from_file`, making this a parser-level vulnerability with no additional interaction required beyond file opening. The fix in v1.22.0 adds proper bounds checking to prevent the mismatch between declared sample counts and actual chunk availability.
Defensive priority
medium
Recommended defensive actions
- Upgrade libheif to version 1.22.0 or later to eliminate the vulnerability
- Validate HEIF file sources before processing, implementing input sanitization for untrusted files
- Monitor application logs for unexpected crashes during HEIF file parsing that may indicate exploitation attempts
- Review and update dependency management processes to ensure timely tracking of libheif security releases
- Consider implementing sandboxing or isolation for HEIF processing pipelines handling external user content
Evidence notes
Vulnerability confirmed through official GitHub security advisory and release notes. CVSS 4.0 vector indicates network attack vector with low attack complexity, requiring user interaction (UI:A) for activation. CWE-125 (Out-of-bounds Read) classified as primary weakness. Fix version 1.22.0 explicitly addresses this issue per release documentation.
Official resources
2026-05-22