{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32882", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-16T21:03:44.420Z", "datePublished": "2026-05-19T20:07:21.464Z", "dateUpdated": "2026-05-20T17:23:02.780Z"}, "containers": {"cna": {"title": "libheif: Heap Buffer OOB Read in overlay compositing due to wrong alpha stride", "problemTypes": [{"descriptions": [{"cweId": "CWE-125", "lang": "en", "description": "CWE-125: Out-of-bounds Read", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/strukturag/libheif/security/advisories/GHSA-hg7q-rjr2-8x46", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/strukturag/libheif/security/advisories/GHSA-hg7q-rjr2-8x46"}, {"name": "https://github.com/strukturag/libheif/releases/tag/v1.22.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/strukturag/libheif/releases/tag/v1.22.0"}], "affected": [{"vendor": "strukturag", "product": "libheif", "versions": [{"version": "< 1.22.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-05-19T20:07:21.464Z"}, "descriptions": [{"lang": "en", "value": "libheif is a HEIF and AVIF file format decoder and encoder. Versions 1.21.2 and prior contain a heap buffer over-read in HeifPixelImage::overlay() in libheif/pixelimage.cc. When compositing an overlay image (iovl) whose child image has a different bit depth for the alpha channel than for the color channels, the function indexes into the alpha plane using the color channel stride (in_stride) instead of the previously retrieved alpha_stride, causing reads past the end of the alpha buffer (up to 3,123 bytes for a 100\u00d750 image with 10-bit color and 8-bit alpha). A crafted HEIF file can exploit this to cause a denial of service (crash) or potentially disclose adjacent heap memory through leaked bytes embedded in the decoded output pixels. This issue has been fixed in versionThis issue has been fixed in version 1.22.0."}], "source": {"advisory": "GHSA-hg7q-rjr2-8x46", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/strukturag/libheif/security/advisories/GHSA-hg7q-rjr2-8x46", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-05-20T17:22:17.177644Z", "id": "CVE-2026-32882", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-20T17:23:02.780Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32882", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-05-20T17:22:17.177644Z"}}}], "references": [{"url": "https://github.com/strukturag/libheif/security/advisories/GHSA-hg7q-rjr2-8x46", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-20T17:22:08.118Z"}}], "cna": {"title": "libheif: Heap Buffer OOB Read in overlay compositing due to wrong alpha stride", "source": {"advisory": "GHSA-hg7q-rjr2-8x46", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "strukturag", "product": "libheif", "versions": [{"status": "affected", "version": "< 1.22.0"}]}], "references": [{"url": "https://github.com/strukturag/libheif/security/advisories/GHSA-hg7q-rjr2-8x46", "name": "https://github.com/strukturag/libheif/security/advisories/GHSA-hg7q-rjr2-8x46", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/strukturag/libheif/releases/tag/v1.22.0", "name": "https://github.com/strukturag/libheif/releases/tag/v1.22.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "libheif is a HEIF and AVIF file format decoder and encoder. Versions 1.21.2 and prior contain a heap buffer over-read in HeifPixelImage::overlay() in libheif/pixelimage.cc. When compositing an overlay image (iovl) whose child image has a different bit depth for the alpha channel than for the color channels, the function indexes into the alpha plane using the color channel stride (in_stride) instead of the previously retrieved alpha_stride, causing reads past the end of the alpha buffer (up to 3,123 bytes for a 100\u00d750 image with 10-bit color and 8-bit alpha). A crafted HEIF file can exploit this to cause a denial of service (crash) or potentially disclose adjacent heap memory through leaked bytes embedded in the decoded output pixels. This issue has been fixed in versionThis issue has been fixed in version 1.22.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "CWE-125: Out-of-bounds Read"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-05-19T20:07:21.464Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32882", "state": "PUBLISHED", "dateUpdated": "2026-05-20T17:23:02.780Z", "dateReserved": "2026-03-16T21:03:44.420Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-05-19T20:07:21.464Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "libheif is a HEIF and AVIF file format decoder and encoder. Versions 1.21.2 and prior contain a heap buffer over-read in HeifPixelImage::overlay() in libheif/pixelimage.cc. When compositing an overlay image (iovl) whose child image has a different bit depth for the alpha channel than for the color channels, the function indexes into the alpha plane using the color channel stride (in_stride) instead of the previously retrieved alpha_stride, causing reads past the end of the alpha buffer (up to 3,123 bytes for a 100\u00d750 image with 10-bit color and 8-bit alpha). A crafted HEIF file can exploit this to cause a denial of service (crash) or potentially disclose adjacent heap memory through leaked bytes embedded in the decoded output pixels. This issue has been fixed in versionThis issue has been fixed in version 1.22.0."}], "id": "CVE-2026-32882", "lastModified": "2026-05-20T18:16:26.880", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-05-19T21:16:42.363", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/strukturag/libheif/releases/tag/v1.22.0"}, {"source": "security-advisories@github.com", "url": "https://github.com/strukturag/libheif/security/advisories/GHSA-hg7q-rjr2-8x46"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/strukturag/libheif/security/advisories/GHSA-hg7q-rjr2-8x46"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "libheif: libheif: Denial of Service and Information Disclosure vulnerability", "id": "2480000", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480000"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H", "status": "draft"}, "cwe": "CWE-125", "details": ["A flaw was found in libheif, a library used for handling High Efficiency Image File Format (HEIF) and AV1 Image File Format (AVIF) images. A remote attacker could exploit a heap buffer over-read vulnerability by providing a specially crafted HEIF file. This could lead to a denial of service, causing the application to crash, or potentially disclose sensitive information from adjacent memory through the decoded output pixels."], "name": "CVE-2026-32882", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "glycin-loaders", "product_name": "Red Hat Enterprise Linux 10"}], "public_date": "2026-05-19T20:07:21Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-32882\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-32882\nhttps://github.com/strukturag/libheif/releases/tag/v1.22.0\nhttps://github.com/strukturag/libheif/security/advisories/GHSA-hg7q-rjr2-8x46"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.22.0)"}}], "enrichment": {"confidence": 94.0, "confidence_source": "matching", "scores": [{"score": 94.0, "source": "matching"}]}, "original": {"product": "libheif", "source": "cna", "vendor": "strukturag"}, "product": "libheif", "vendor": "struktur"}], "created": "2026-05-19T21:30:14.351535+00:00", "updated": "2026-05-20T10:00:04.195749+00:00", "vendors": ["struktur", "struktur$PRODUCT$libheif"]}