CVE-2026-41069

Source
https://cve.org/CVERecord?id=CVE-2026-41069
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-41069.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-41069
Aliases
  • GHSA-p82x-fpmv-576r
Downstream
Related
Published
2026-05-22T20:49:16.735Z
Modified
2026-07-15T20:54:37.577209Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVSS Calculator
Summary
libheif allows Out-of-bounds vector access leading to invalid dereference (DoS)
Details

libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and prior, a malformed HEIF sequence file can trigger an out-of-bounds read in core sequence parsing logic, causing DoS. A malformed file can have stco.entrycount == 0 (creating no chunks) while still passing validation because saio.entrycount == 0 matches, but with saiz.sample_count > 0 the SampleAuxInfoReader constructor still enters its loop. This leads to an out-of-bounds dereference on the empty chunks[0] in chunked mode.

Database specific
{
    "cwe_ids": [
        "CWE-125",
        "CWE-476"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41069.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/strukturag/libheif

Affected ranges

Type
GIT
Repo
https://github.com/strukturag/libheif
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "cpe": "cpe:2.3:a:struktur:libheif:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.22.0"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE",
        "REFERENCES"
    ]
}

Affected versions

v1.*
v1.1.0
v1.10.0
v1.11.0
v1.12.0
v1.13.0
v1.14.0
v1.14.1
v1.14.2
v1.15.0
v1.15.1
v1.15.2
v1.16.0
v1.16.1
v1.16.2
v1.17.0
v1.17.1
v1.17.2
v1.17.3
v1.17.4
v1.17.5
v1.17.6
v1.18.0
v1.18.0-rc1
v1.19.0
v1.19.1
v1.19.2
v1.19.3
v1.19.4
v1.19.5
v1.2.0
v1.20.0
v1.20.1
v1.21.0
v1.21.1
v1.21.2
v1.3.0
v1.3.1
v1.3.2
v1.7.0
v1.8.0
v1.9.0
v1.9.1

Database specific

vanir_signatures
[
    {
        "source": "https://github.com/strukturag/libheif/commit/0c81a846b7401dbdb7118afd0761057f21e43511",
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "175107675317900759648359576881034358256",
                "220432159010798240840908416937024023837",
                "268268967745545109707798594937166387611",
                "253707932335489477155115861206639265538",
                "199679408075604976163979654915891773303",
                "175107675317900759648359576881034358256",
                "220432159010798240840908416937024023837",
                "268268967745545109707798594937166387611",
                "286778284410146987248233194002847271266",
                "178248309108630471590778685235254536836"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "id": "CVE-2026-41069-91619f1d",
        "target": {
            "file": "tests/uncompressed_box.cc"
        }
    }
]
vanir_signatures_modified
"2026-07-15T20:54:37Z"
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-41069.json"