CVE-2026-32882 is a heap buffer over-read in libheif’s overlay compositing path. A crafted HEIF file can trigger the flaw when the child image uses a different alpha-channel bit depth than its color channels. The issue can crash the decoder and may also leak adjacent heap data into output pixels. The vulnerability affects libheif 1.21.2 and earlier and is fixed in 1.22.0.
CVE-2026-32741 describes a heap buffer overflow in libheif’s mask image decoding path. A crafted HEIF file containing a mask image can cause MaskImageCodec::decode_mask_image() to copy attacker-controlled extent data into a destination buffer that was sized from the declared image dimensions, creating a heap overwrite. The issue is fixed in libheif 1.22.0.
