CVE-2026-32882

/* * PoC Concept: Demonstrating the logic flaw in HeifPixelImage::overlay() * This C code snippet illustrates the indexing error where 'in_stride' is used * instead of 'alpha_stride' for the alpha plane. */ #include <stdio.h> #include <stdlib.h> #include <string.h> void vulnerable_overlay_logic(int width, int height, int color_stride, int alpha_stride, uint8_t* color_data, uint8_t* alpha_data) { // Simulate the vulnerable loop for (int y = 0; y < height; y++) { for (int x = 0; x < width; x++) { int color_idx = y * color_stride + x; // BUG: Using color_stride for alpha data indexing instead of alpha_stride // This causes out-of-bounds read if alpha_stride < color_stride int alpha_idx = y * color_stride + x; printf("Reading alpha at index %d (size: %d)\n", alpha_idx, width * height); // This would crash or leak memory in real scenario // uint8_t alpha_val = alpha_data[alpha_idx]; } } } int main() { // Example: 10-bit color (larger stride) vs 8-bit alpha (smaller stride) int w = 100, h = 50; int c_stride = 120; // Hypothetical color stride int a_stride = 100; // Hypothetical alpha stride (8-bit) uint8_t dummy_color[120*50]; uint8_t dummy_alpha[100*50]; // Smaller buffer // Trigger the vulnerable logic vulnerable_overlay_logic(w, h, c_stride, a_stride, dummy_color, dummy_alpha); return 0; }

{"cve": {"id": "CVE-2026-32882", "sourceIdentifier": "[email protected]", "published": "2026-05-19T21:16:42.363", "lastModified": "2026-05-20T18:16:26.880", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "libheif is a HEIF and AVIF file format decoder and encoder. Versions 1.21.2 and prior contain a heap buffer over-read in HeifPixelImage::overlay() in libheif/pixelimage.cc. When compositing an overlay image (iovl) whose child image has a different bit depth for the alpha channel than for the color channels, the function indexes into the alpha plane using the color channel stride (in_stride) instead of the previously retrieved alpha_stride, causing reads past the end of the alpha buffer (up to 3,123 bytes for a 100×50 image with 10-bit color and 8-bit alpha). A crafted HEIF file can exploit this to cause a denial of service (crash) or potentially disclose adjacent heap memory through leaked bytes embedded in the decoded output pixels. This issue has been fixed in versionThis issue has been fixed in version 1.22.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-125"}]}], "references": [{"url": "https://github.com/strukturag/libheif/releases/tag/v1.22.0", "source": "[email protected]"}, {"url": "https://github.com/strukturag/libheif/security/advisories/GHSA-hg7q-rjr2-8x46", "source": "[email protected]"}, {"url": "https://github.com/strukturag/libheif/security/advisories/GHSA-hg7q-rjr2-8x46", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}