DEBIAN-CVE-2026-41071

See a problem?
Please try reporting it to the source first.
Source
https://security-tracker.debian.org/tracker/CVE-2026-41071
Import Source
https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-41071.json
JSON Data
https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-41071
Upstream
  • CVE-2026-41071
Published
2026-05-22T22:16:55.470Z
Modified
2026-05-28T09:00:09.252774187Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H CVSS Calculator
Summary
[none]
Details

libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and prior, a crafted HEIF sequence file where the saiz box declares more samples than actually exist in the track's chunk table causes a heap-buffer-overflow (out-of-bounds read) in the SampleAuxInfoReader constructor. The SampleAuxInfoReader constructor iterates over saiz->getnumsamples() samples but doesn't validate that this count is consistent with the number of chunks in the chunks vector. When saiz declares more samples than the chunks cover, the loop increments currentchunk past chunks.size(), causing an out-of-bounds read on the chunks vector. The vulnerability is triggered during file parsing (heifcontextreadfrom_file) without any additional user interaction. Any application using libheif to open untrusted HEIF files is affected. This issue has been fixed in version 1.22.0.

References

Affected packages

Debian:11 / libheif

Package

Name
libheif
Purl
pkg:deb/debian/libheif?arch=source&distro=bullseye

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.11.0-1
1.11.0-1+deb11u1
1.11.0-1+deb11u2
1.12.0-1
1.12.0-2
1.13.0-1
1.14.2-1
1.15.1-1
1.16.2-1
1.16.2-2
1.16.2-3
1.17.0-1
1.17.1-1
1.17.4-1
1.17.6-1
1.17.6-2
1.17.6-3
1.17.6-4
1.18.1-1
1.18.1-2
1.18.2-1
1.18.2-2
1.19.1-1~bpo12+1
1.19.1-1~bpo12+2
1.19.1-1
1.19.3-1~bpo12+1
1.19.3-1
1.19.5-1
1.19.7-1~bpo12+1
1.19.7-1
1.19.8-1
1.20.1-1
1.20.2-1
1.20.2-2
1.21.2-1
1.21.2-2
1.21.2-3
1.21.2-4

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-41071.json"

Debian:12 / libheif

Package

Name
libheif
Purl
pkg:deb/debian/libheif?arch=source&distro=bookworm

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.15.1-1
1.15.1-1+deb12u1
1.16.2-1
1.16.2-2
1.16.2-3
1.17.0-1
1.17.1-1
1.17.4-1
1.17.6-1
1.17.6-2
1.17.6-3
1.17.6-4
1.18.1-1
1.18.1-2
1.18.2-1
1.18.2-2
1.19.1-1~bpo12+1
1.19.1-1~bpo12+2
1.19.1-1
1.19.3-1~bpo12+1
1.19.3-1
1.19.5-1
1.19.7-1~bpo12+1
1.19.7-1
1.19.8-1
1.20.1-1
1.20.2-1
1.20.2-2
1.21.2-1
1.21.2-2
1.21.2-3
1.21.2-4

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-41071.json"

Debian:13 / libheif

Package

Name
libheif
Purl
pkg:deb/debian/libheif?arch=source&distro=trixie

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.19.8-1
1.20.1-1
1.20.2-1
1.20.2-2
1.21.2-1
1.21.2-2
1.21.2-3
1.21.2-4

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-41071.json"

Debian:14 / libheif

Package

Name
libheif
Purl
pkg:deb/debian/libheif?arch=source&distro=forky

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.19.8-1
1.20.1-1
1.20.2-1
1.20.2-2
1.21.2-1
1.21.2-2
1.21.2-3
1.21.2-4

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-41071.json"