CVE-2026-41071

Source
https://cve.org/CVERecord?id=CVE-2026-41071
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-41071.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-41071
Aliases
  • GHSA-xj92-xjff-h8w3
Downstream
Related
Published
2026-05-22T20:59:09.822Z
Modified
2026-07-08T08:13:12.929517907Z
Severity
  • 5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator
Summary
libheif: Heap buffer over-read in SampleAuxInfoReader via crafted HEIF sequence file with mismatched saiz sample count
Details

libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and prior, a crafted HEIF sequence file where the saiz box declares more samples than actually exist in the track's chunk table causes a heap-buffer-overflow (out-of-bounds read) in the SampleAuxInfoReader constructor. The SampleAuxInfoReader constructor iterates over saiz->getnumsamples() samples but doesn't validate that this count is consistent with the number of chunks in the chunks vector. When saiz declares more samples than the chunks cover, the loop increments currentchunk past chunks.size(), causing an out-of-bounds read on the chunks vector. The vulnerability is triggered during file parsing (heifcontextreadfrom_file) without any additional user interaction. Any application using libheif to open untrusted HEIF files is affected. This issue has been fixed in version 1.22.0.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41071.json",
    "cwe_ids": [
        "CWE-125"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/strukturag/libheif

Affected ranges

Type
GIT
Repo
https://github.com/strukturag/libheif
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE",
        "REFERENCES"
    ],
    "cpe": "cpe:2.3:a:struktur:libheif:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.22.0"
        }
    ]
}

Affected versions

v1.*
v1.1.0
v1.10.0
v1.11.0
v1.12.0
v1.13.0
v1.14.0
v1.14.1
v1.14.2
v1.15.0
v1.15.1
v1.15.2
v1.16.0
v1.16.1
v1.16.2
v1.17.0
v1.17.1
v1.17.2
v1.17.3
v1.17.4
v1.17.5
v1.17.6
v1.18.0
v1.18.0-rc1
v1.19.0
v1.19.1
v1.19.2
v1.19.3
v1.19.4
v1.19.5
v1.2.0
v1.20.0
v1.20.1
v1.21.0
v1.21.1
v1.21.2
v1.3.0
v1.3.1
v1.3.2
v1.7.0
v1.8.0
v1.9.0
v1.9.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-41071.json"