Libheif Heap Buffer Over-Read Vulnerability (CVE-2026-32882) Exposes Data, Causes DoS

/HIGH /CVSS 7.1/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitydenial-of-servicecwe-125
Libheif Heap Buffer Over-Read Vulnerability (CVE-2026-32882) Exposes Data, Causes DoS

The National Vulnerability Database has detailed CVE-2026-32882, a critical heap buffer over-read vulnerability affecting libheif, a library for decoding and encoding HEIF and AVIF image formats. Versions prior to 1.22.0 contain a flaw in the HeifPixelImage::overlay() function. This vulnerability arises when compositing an overlay image with differing alpha channel bit depths from its color channels. The function incorrectly uses the color channel stride instead of the alpha channel stride, leading to reads beyond the allocated alpha buffer. This can result in denial of service through crashes or potential information disclosure via leaked heap memory bytes embedded in output pixels, with the National Vulnerability Database noting reads of up to 3,123 bytes for specific image configurations.

What This Means For You

  • If your organization utilizes applications that process HEIF or AVIF images via libheif, you must update to version 1.22.0 or later immediately. Attackers can exploit this vulnerability by tricking users into opening a crafted image file, leading to system instability or potential data leakage. Prioritize patching this library to mitigate DoS risks and prevent sensitive memory contents from being exfiltrated.

Related ATT&CK Techniques

T1555 Credentials from Password Stores Credential Access T1204.002 Malicious File Execution

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1204.002 Execution

CVE-2026-32882 - Libheif Heap Buffer Over-Read in PixelImage::overlay

Sigma YAML — free preview 
title: CVE-2026-32882 - Libheif Heap Buffer Over-Read in PixelImage::overlay
id: scw-2026-05-19-ai-1
status: experimental
level: high
description: |
  Detects the potential exploitation of CVE-2026-32882 by identifying processes that load or interact with libheif libraries when processing .heif or .avif files, particularly when initiated by common image viewers or editors. This rule aims to catch the initial trigger of the vulnerability, which could lead to a DoS or memory disclosure.
author: SCW Feed Engine (AI-generated)
date: 2026-05-19
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-32882/
tags:
  - attack.execution
  - attack.t1204.002
logsource:
    category: process_creation
detection:
  selection:
      Image|contains:
          - 'libheif'
      CommandLine|contains:
          - '.heif'
          - '.avif'
      ParentImage|contains:
          - 'explorer.exe'
          - 'acrord32.exe'
          - 'acrord64.exe'
          - 'previewhost.exe'
          - 'photoshop.exe'
          - 'gimp-2.10.exe'
      condition: Image AND CommandLine AND ParentImage
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-32882 Buffer Overflow libheif versions 1.21.2 and prior
CVE-2026-32882 Denial of Service Heap buffer over-read in HeifPixelImage::overlay() in libheif/pixelimage.cc
CVE-2026-32882 Information Disclosure Heap buffer over-read in HeifPixelImage::overlay() in libheif/pixelimage.cc
CVE-2026-32882 Buffer Overflow Crafted HEIF file exploiting alpha channel bit depth mismatch

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 20, 2026 at 00:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-20240 — Denial of Service

CVE-2026-20240 — In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129,...

vulnerabilityCVEmedium-severitydenial-of-servicecwe-20
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma

Splunk Enterprise, Cloud Vulnerability Exposes Session Cookies, Sensitive Data

CVE-2026-20239 — In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a...

vulnerabilityCVEhigh-severitycwe-532
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 5 IOCs /⚙ 4 Sigma

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data...

vulnerabilityCVEmedium-severitycwe-863
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma