QSearchQSearch

CVE-2026-32739

6.5 MEDIUM

libheif is a HEIF and AVIF file format decoder and encoder

Published: 2026-05-19 · Last updated: 2026-05-20

Severity and scoring

CVSS
6.5 MEDIUM
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CWE
CWE-835

Affected products

VendorProduct
strukturlibheif

Description

libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and below, a crafted 800-byte HEIF sequence file causes an infinite loop in Box_stts::get_sample_duration(), consuming 100% CPU indefinitely with zero progress, leading to DoS. The loop has no iteration limit or timeout and is triggered during file open (parsing) - before any user interaction or image decoding. The process stays alive (no crash, no error logged), making it invisible to crash-based monitoring. This issue has been fixed in version 1.22.0.

Source: NVD

References

Related CVEs

Same vendor

  • CVE-2026-41071 libheif is a HEIF and AVIF file format decoder and encoder (8.1 HIGH)
  • CVE-2026-41069 libheif is a HEIF and AVIF file format decoder and encoder (6.5 MEDIUM)
  • CVE-2026-32740 libheif is a HEIF and AVIF file format decoder and encoder (8.8 HIGH)
  • CVE-2026-32738 libheif is a HEIF and AVIF file format decoder and encoder (6.5 MEDIUM)

Same CWE

  • CVE-2026-48733 ImageMagick is free and open-source software used for editing and manipulating digital images (4.7 MEDIUM)
  • CVE-2026-46521 ImageMagick is free and open-source software used for editing and manipulating digital images (5.5 MEDIUM)
  • CVE-2026-46522 ImageMagick is free and open-source software used for editing and manipulating digital images (7.5 HIGH)
  • CVE-2026-49495 Ghidra 10.2 before 12.1 contains an uncontrolled resource consumption vulnerability in ExportTrie.parseTrie() that lacks cycle detection ... (5.5 MEDIUM)
  • CVE-2025-71330 image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event l... (7.5 HIGH)