VU#481830: libheif Uncompressed Codec Lacks Bounds Check Leading to Application Crash

Overview

An out-of-bounds memory access vulnerability exists in the uncompressed decoder component of libheif. A maliciously crafted HEIF image can trigger a denial-of-service condition by causing the libheif library to crash or exhibit other unexpected behavior due to an out-of-bounds memory access.

Description

libheif is an open-source library used for decoding and encoding modern image formats, including HEIF (High Efficiency Image File Format) and AVIF (AV1 Image File Format). These formats provide high compression efficiency and are widely used across mobile devices and online platforms.

libheif contains an out-of-bounds iterator access vulnerability in its uncompressed codec. The issue occurs when the decoder processes certain metadata structures within a HEIF file. Specifically, the decoder fails to adequately validate values read from an internal metadata box before performing iterator arithmetic on the underlying data buffer.

As a result, a malformed HEIF file can cause the decoder to read past the end of the input buffer and incorrectly interpret unrelated memory as valid metadata. This invalid memory access may lead to a segmentation fault during image decoding.

The CVE-2025-65586 captures this out-of-bounds checking flaw in libheif’s uncompressed codec that allows a maliciously crafted HEIF file to trigger an out-of-bounds read, resulting in a segmentation fault and denial of service when the file is parsed. The vulnerability was introduced in commit 6190b58f (October 3, 2024). Versions v1.19.0 through Versions 1.21.1 are affected by this vulnerbaility. The versions v1.17.6 and earlier are not affected. The issue was reported to the libheif project and has been fixed in commit f4d9157 (November 5, 2025) and then merged to the version release 1.21.0 at the end of 2025.

Impact

An attacker can exploit this vulnerability by supplying a maliciously crafted HEIF image, causing applications that use libheif to crash. Based on current analysis, exploitation is limited to denial-of-service conditions.

Potential impacts include

• Unexpected termination of applications that decode HEIF images
• Crashes in systems that automatically generate previews or thumbnails
• Disruption of services that process untrusted HEIF content (e.g., browsers, email clients, photo management tools)

There is no evidence at this time that this vulnerability can be used to achieve memory disclosure or arbitrary code execution.

Discovery

The vulnerability was discovered through coverage-guided fuzzing using AddressSanitizer-instrumented builds of libheif. The issue was reproducible across standard Linux development environments.

Solution

Software vendors and developers using the libheif library are strongly encouraged to update to version 1.21.0 or later, which includes the fix for this vulnerability. End users should apply available software updates to ensure they are running a version of libheif that addresses this issue.

Acknowledgements

Thanks to the reporter Maor Caplan for identifying the vulnerability and to Dirk Farin for implementing the fix.
This document was written by Timur Snoke.