libheif Heap-Buffer-Overflow (CVE-2026-32740) Exposes Image Processing Stacks

/HIGH /CVSS 8.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-787
libheif Heap-Buffer-Overflow (CVE-2026-32740) Exposes Image Processing Stacks

The National Vulnerability Database has detailed CVE-2026-32740, a critical heap-buffer-overflow (write) vulnerability within libheif, a widely used HEIF and AVIF file format decoder and encoder. Versions 1.21.2 and prior are affected. This flaw permits an attacker to write 64 bytes of fully controlled data past the end of a chroma plane heap allocation. The attack vector involves crafting a malicious HEIF/AVIF file with a specific 1x4 grid of odd-height tiles.

The overflow is triggered during normal image decoding, even with default build configurations, making exploitation straightforward. The written bytes are chroma pixel values directly from the attacking tile, granting the attacker precise control over the overflow content. This isn’t just a crash; it’s a controlled write, which significantly increases the exploitability for remote code execution. The National Vulnerability Database assigns this a CVSS score of 8.8 (HIGH), underscoring the severity.

This vulnerability highlights a critical risk in media processing pipelines. Any application, service, or system that ingests and decodes HEIF or AVIF files using vulnerable versions of libheif is at risk. Defenders must recognize that attackers will leverage file formats like these to bypass traditional perimeter defenses, embedding exploits within seemingly innocuous image files. The fix is available in libheif version 1.22.0.

What This Means For You

  • If your organization processes HEIF or AVIF images, directly or indirectly, you are exposed. Identify all systems, applications, and third-party libraries that rely on libheif. Prioritize patching to version 1.22.0 or later immediately. Audit any image processing services, especially those exposed to untrusted user input, for signs of exploitation. This is a client-side vulnerability that can lead to remote code execution simply by processing a malicious image.

Related ATT&CK Techniques

T1566.002 Phishing: Spearphishing Attachment Initial Access T1204.002 Malicious File: Malicious File Initial Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1566.002 Initial Access

CVE-2026-32740 - libheif Heap-Buffer-Overflow via Crafted HEIF/AVIF File

Sigma YAML — free preview 
title: CVE-2026-32740 - libheif Heap-Buffer-Overflow via Crafted HEIF/AVIF File
id: scw-2026-05-19-ai-1
status: experimental
level: critical
description: |
  Detects the execution of processes that attempt to decode HEIF or AVIF files using libheif, which is the primary vector for CVE-2026-32740. This rule specifically targets the file types associated with the vulnerability and the library involved, indicating a potential attempt to exploit the heap-buffer-overflow.
author: SCW Feed Engine (AI-generated)
date: 2026-05-19
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-32740/
tags:
  - attack.initial_access
  - attack.t1566.002
logsource:
    category: process_creation
detection:
  selection:
      Image|contains:
          - 'libheif'
      CommandLine|contains:
          - '.heif'
          - '.avif'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-32740 Buffer Overflow libheif versions 1.21.2 and prior
CVE-2026-32740 Memory Corruption Heap-buffer-overflow (write) in grid tile compositing
CVE-2026-32740 Code Injection Crafted HEIF/AVIF file with a 1x4 grid of odd-height tiles

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 19, 2026 at 23:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-20240 — Denial of Service

CVE-2026-20240 — In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129,...

vulnerabilityCVEmedium-severitydenial-of-servicecwe-20
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma

Splunk Enterprise, Cloud Vulnerability Exposes Session Cookies, Sensitive Data

CVE-2026-20239 — In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a...

vulnerabilityCVEhigh-severitycwe-532
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 5 IOCs /⚙ 4 Sigma

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data...

vulnerabilityCVEmedium-severitycwe-863
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma