libheif Heap Overflow (CVE-2026-32741) Risks HEIF/AVIF Decoders

/HIGH /CVSS 7.1/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitybuffer-overflowcwe-122
libheif Heap Overflow (CVE-2026-32741) Risks HEIF/AVIF Decoders

The National Vulnerability Database has disclosed CVE-2026-32741, a heap buffer overflow vulnerability in libheif versions 1.21.2 and below. This library is crucial for decoding and encoding HEIF and AVIF file formats. The flaw resides in the MaskImageCodec::decode_mask_image() function, where a crafted HEIF file containing a mask image (mski) can lead to an attacker-controlled copy length during memcpy. The destination buffer, sized based on declared image dimensions, lacks an upper-bound check against the iloc extent data’s length, allowing for heap overflow.

Attackers can trigger this vulnerability by crafting a HEIF file where the mskc property specifies 8 bits per pixel and the ispe property declares an even width of 64 or greater. This specific configuration bypasses default security limits and external codec plugin requirements, making exploitation straightforward. The CVSS score of 7.1 (HIGH) underscores the severity, with a vector indicating network-based attacks requiring user interaction but leading to significant availability impact and potential information disclosure (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H).

This isn’t just about image viewing; it’s about any system processing HEIF or AVIF files. Think about web services that ingest user-uploaded images, email clients previewing attachments, or applications handling multimedia. A successful exploit could lead to denial of service, arbitrary code execution, or information leaks. The fix is available in libheif version 1.22.0, making patching the most critical immediate action.

What This Means For You

  • If your organization processes HEIF or AVIF files, especially from untrusted sources, you are exposed to CVE-2026-32741. This vulnerability could lead to system compromise or service disruption through a specially crafted image. Immediately identify all systems using libheif versions 1.21.2 or below and prioritize upgrading to version 1.22.0 to mitigate this heap overflow risk.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1204.002 Malicious File Execution

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

Potential libheif Heap Overflow Exploit Attempt (CVE-2026-32741)

Sigma YAML — free preview 
title: Potential libheif Heap Overflow Exploit Attempt (CVE-2026-32741)
id: scw-2026-05-19-ai-1
status: experimental
level: high
description: |
  This rule detects the potential exploitation of CVE-2026-32741, a heap buffer overflow in libheif when decoding HEIF/AVIF files with specific mask image properties. It looks for processes commonly associated with image viewing or document handling (like image viewers, PDF readers) attempting to process .heic or .heif files, which could indicate an exploit attempt. The vulnerability occurs when a crafted file's iloc extent exceeds the allocated pixel buffer, leading to a heap overflow.
author: SCW Feed Engine (AI-generated)
date: 2026-05-19
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-32741/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: process_creation
detection:
  selection:
      Image|contains:
          - 'libheif'
      CommandLine|contains:
          - '.heic'
          - '.heif'
      ParentImage|contains:
          - 'explorer.exe'
          - 'acrord32.exe'
          - 'previewhost.exe'
          - 'acrord32_foxit.exe'
          - 'Acrobat.exe'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-32741 Buffer Overflow libheif versions 1.21.2 and below
CVE-2026-32741 Buffer Overflow Vulnerable function: MaskImageCodec::decode_mask_image()
CVE-2026-32741 Buffer Overflow Trigger: Crafted HEIF file with mask image (mski) where iloc extent exceeds pixel buffer allocation
CVE-2026-32741 Buffer Overflow Conditions: mskC property specifies bits_per_pixel = 8 and ispe property declares an even width ≥ 64

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 20, 2026 at 00:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-20240 — Denial of Service

CVE-2026-20240 — In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129,...

vulnerabilityCVEmedium-severitydenial-of-servicecwe-20
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma

Splunk Enterprise, Cloud Vulnerability Exposes Session Cookies, Sensitive Data

CVE-2026-20239 — In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a...

vulnerabilityCVEhigh-severitycwe-532
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 5 IOCs /⚙ 4 Sigma

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data...

vulnerabilityCVEmedium-severitycwe-863
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma