libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and prior, a malformed HEIF sequence file can trigger an out-of-bounds read in core sequence parsing logic, causing DoS. A malformed file can have stco.entrycount == 0 (creating no chunks) while still passing validation because saio.entrycount == 0 matches, but with saiz.sample_count > 0 the SampleAuxInfoReader constructor still enters its loop. This leads to an out-of-bounds dereference on the empty chunks[0] in chunked mode.
{
"cwe_ids": [
"CWE-125",
"CWE-476"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41069.json",
"cna_assigner": "GitHub_M"
}{
"cpe": "cpe:2.3:a:struktur:libheif:*:*:*:*:*:*:*:*",
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "1.22.0"
}
],
"source": [
"AFFECTED_FIELD",
"CPE_RANGE",
"REFERENCES"
]
}[
{
"source": "https://github.com/strukturag/libheif/commit/0c81a846b7401dbdb7118afd0761057f21e43511",
"signature_version": "v1",
"signature_type": "Line",
"digest": {
"line_hashes": [
"175107675317900759648359576881034358256",
"220432159010798240840908416937024023837",
"268268967745545109707798594937166387611",
"253707932335489477155115861206639265538",
"199679408075604976163979654915891773303",
"175107675317900759648359576881034358256",
"220432159010798240840908416937024023837",
"268268967745545109707798594937166387611",
"286778284410146987248233194002847271266",
"178248309108630471590778685235254536836"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2026-41069-91619f1d",
"target": {
"file": "tests/uncompressed_box.cc"
}
}
]
"2026-07-15T20:54:37Z"
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-41069.json"