Your message dated Wed, 01 Jul 2026 08:35:08 +0000
with message-id <[email protected]>
and subject line Bug#1137524: fixed in libheif 1.23.1-1
has caused the Debian Bug report #1137524,
regarding libheif: CVE-2026-32738 CVE-2026-32739 CVE-2026-32740 CVE-2026-32741
CVE-2026-32814 CVE-2026-32882 CVE-2026-41069 CVE-2026-41071
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1137524: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1137524
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libheif
Version: 1.21.2-4
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for libheif.
Rationale for not making single bugreports: All issues should be fixed
in the 1.22.0 version. Older versions have not been assessed for each
individual version but so you are at least awaere of the batch of CVE
assignments.
CVE-2026-32738[0]:
| libheif is a HEIF and AVIF file format decoder and encoder. In
| versions 1.21.2 and below, a crafted 792-byte HEIF sequence file
| with samples_per_chunk=0 in the stsc box causes an unsigned integer
| underflow in the Chunk constructor (m_last_sample = 0 + 0 - 1 =
| UINT32_MAX), mapping all samples to an empty chunk and resulting in
| a denial of service. When any sample is accessed, the library reads
| from index 0 of an empty std::vector, causing a guaranteed SEGV
| (null-page read). The file parses successfully without producing an
| error; the crash occurs on the first frame access. This issue has
| been fixed in version 1.22.0.
CVE-2026-32739[1]:
| libheif is a HEIF and AVIF file format decoder and encoder. In
| versions 1.21.2 and below, a crafted 800-byte HEIF sequence file
| causes an infinite loop in Box_stts::get_sample_duration(),
| consuming 100% CPU indefinitely with zero progress, leading to DoS.
| The loop has no iteration limit or timeout and is triggered during
| file open (parsing) - before any user interaction or image decoding.
| The process stays alive (no crash, no error logged), making it
| invisible to crash-based monitoring. This issue has been fixed in
| version 1.22.0.
CVE-2026-32740[2]:
| libheif is a HEIF and AVIF file format decoder and encoder. Versions
| 1.21.2 and prior contain a heap-buffer-overflow (write)
| vulnerability in the grid tile compositing, allowing an attacker to
| write 64 bytes of fully attacker-controlled data past the end of a
| chroma plane heap allocation by crafting a HEIF/AVIF file with a 1×4
| grid of odd-height tiles. The overflow is triggered during normal
| image decoding with default build configuration. The written bytes
| are chroma (Cb/Cr) pixel values from the attacking tile, giving the
| attacker full control over the overflow content. This issue has been
| fixed in version 1.22.0.
CVE-2026-32741[3]:
| libheif is a HEIF and AVIF file format decoder and encoder. Versions
| 1.21.2 and below contain a heap buffer overflow in
| MaskImageCodec::decode_mask_image(). When decoding a HEIF file
| containing a mask image (mski), the function copies the full iloc
| extent data into a pixel buffer using memcpy(dst, data.data(),
| data.size()). The copy length data.size() is determined by the iloc
| extent in the file (attacker-controlled), while the destination
| buffer is sized based on the declared image dimensions. Because no
| upper-bound check exists on the data length, a crafted file whose
| iloc extent exceeds the pixel buffer allocation overflows the heap.
| The vulnerable single-memcpy branch is reached when the mskC
| property specifies bits_per_pixel = 8 and the ispe property declares
| an even width ≥ 64 (so that stride == width), with no changes to
| default security limits or external codec plugins required. This
| issue has been fixed in version 1.22.0.
CVE-2026-32814[4]:
| libheif is a HEIF and AVIF file format decoder and encoder. In
| versions 1.21.2 and prior, when decoding a HEIF grid image with
| strict_decoding=false (the default), a corrupted tile silently fails
| to decode and the library returns heif_error_Ok with no indication
| of failure, leading to an uninitialized heap memory information
| leak. The canvas is allocated via create_clone_image_at_new_size() →
| plane.alloc() → new (std::nothrow) uint8_t[allocation_size] which
| does not zero the memory; only the alpha plane is explicitly
| initialized via fill_plane(), so the Y, Cb, and Cr planes contain
| whatever was previously at that heap address. The failed tile's
| region of the canvas is never written. It retains uninitialized heap
| data that is delivered to the caller as decoded pixel values (4,096
| bytes per Y/Cb/Cr plane = 12,288+ bytes total). Any application
| using libheif to decode grid-based HEIF/AVIF files with default
| settings is vulnerable: a crafted .heic or .avif file causes 4,096+
| bytes of heap memory to appear as pixel values in the decoded image,
| and the calling application receives heif_error_Ok, so it has no
| indication the output contains heap garbage. In server-side image
| processing, an uploaded crafted HEIF decoded and re-encoded (e.g.,
| as PNG/JPEG for thumbnails, CDN, social media) can leak cross-user
| data such as auth tokens, database results, and other users' image
| data. This issue has been fixed in version 1.22.0.
CVE-2026-32882[5]:
| libheif is a HEIF and AVIF file format decoder and encoder. Versions
| 1.21.2 and prior contain a heap buffer over-read in
| HeifPixelImage::overlay() in libheif/pixelimage.cc. When compositing
| an overlay image (iovl) whose child image has a different bit depth
| for the alpha channel than for the color channels, the function
| indexes into the alpha plane using the color channel stride
| (in_stride) instead of the previously retrieved alpha_stride,
| causing reads past the end of the alpha buffer (up to 3,123 bytes
| for a 100×50 image with 10-bit color and 8-bit alpha). A crafted
| HEIF file can exploit this to cause a denial of service (crash) or
| potentially disclose adjacent heap memory through leaked bytes
| embedded in the decoded output pixels. This issue has been fixed in
| versionThis issue has been fixed in version 1.22.0.
CVE-2026-41069[6]:
| libheif is a HEIF and AVIF file format decoder and encoder. In
| versions 1.21.2 and prior, a malformed HEIF sequence file can
| trigger an out-of-bounds read in core sequence parsing logic,
| causing DoS. A malformed file can have stco.entry_count == 0
| (creating no chunks) while still passing validation because
| saio.entry_count == 0 matches, but with saiz.sample_count > 0 the
| SampleAuxInfoReader constructor still enters its loop. This leads to
| an out-of-bounds dereference on the empty chunks[0] in chunked mode.
CVE-2026-41071[7]:
| libheif is a HEIF and AVIF file format decoder and encoder. In
| versions 1.21.2 and prior, a crafted HEIF sequence file where the
| saiz box declares more samples than actually exist in the track's
| chunk table causes a heap-buffer-overflow (out-of-bounds read) in
| the SampleAuxInfoReader constructor. The SampleAuxInfoReader
| constructor iterates over saiz->get_num_samples() samples but
| doesn't validate that this count is consistent with the number of
| chunks in the chunks vector. When saiz declares more samples than
| the chunks cover, the loop increments current_chunk past
| chunks.size(), causing an out-of-bounds read on the chunks vector.
| The vulnerability is triggered during file parsing
| (heif_context_read_from_file) without any additional user
| interaction. Any application using libheif to open untrusted HEIF
| files is affected. This issue has been fixed in version 1.22.0.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-32738
https://www.cve.org/CVERecord?id=CVE-2026-32738
[1] https://security-tracker.debian.org/tracker/CVE-2026-32739
https://www.cve.org/CVERecord?id=CVE-2026-32739
[2] https://security-tracker.debian.org/tracker/CVE-2026-32740
https://www.cve.org/CVERecord?id=CVE-2026-32740
[3] https://security-tracker.debian.org/tracker/CVE-2026-32741
https://www.cve.org/CVERecord?id=CVE-2026-32741
[4] https://security-tracker.debian.org/tracker/CVE-2026-32814
https://www.cve.org/CVERecord?id=CVE-2026-32814
[5] https://security-tracker.debian.org/tracker/CVE-2026-32882
https://www.cve.org/CVERecord?id=CVE-2026-32882
[6] https://security-tracker.debian.org/tracker/CVE-2026-41069
https://www.cve.org/CVERecord?id=CVE-2026-41069
[7] https://security-tracker.debian.org/tracker/CVE-2026-41071
https://www.cve.org/CVERecord?id=CVE-2026-41071
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libheif
Source-Version: 1.23.1-1
Done: Joachim Bauch <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libheif, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Joachim Bauch <[email protected]> (supplier of updated libheif package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 01 Jul 2026 10:14:01 +0200
Source: libheif
Built-For-Profiles: noudeb
Architecture: source
Version: 1.23.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <[email protected]>
Changed-By: Joachim Bauch <[email protected]>
Closes: 1130640 1137524 1140223 1140479
Changes:
libheif (1.23.1-1) unstable; urgency=medium
.
* New upstream version 1.23.1
* Fixes CVE-2026-54240, CVE-2026-54241
* Unpackaged upstream version 1.23.0 fixes the following CVEs:
CVE-2026-50142
* Unpackaged upstream version 1.22.1 fixes the following CVEs:
CVE-2026-49271 (Closes: #1140479)
* Unpackaged upstream version 1.22.0 fixes the following CVEs:
CVE-2026-3950 (Closes: #1130640), CVE-2026-32738, CVE-2026-32739,
CVE-2026-32740, CVE-2026-32741, CVE-2026-32814, CVE-2026-32882,
CVE-2026-41069, CVE-2026-41071 (Closes: #1137524),
CVE-2026-47178 (Closes: #1140223), CVE-2026-47247, CVE-2026-47251,
CVE-2026-47254, CVE-2026-47709, CVE-2026-47714, CVE-2026-48029
* d/control: Bump "Standards-Version" to 4.7.4
* Update symbols for new upstream version.
* d/control: Build-depend on libtiff-dev for TIFF support in examples.
* d/control: Build-depend on libwebp-dev for WebP support in examples.
* Remove patches no longer necessary.
Checksums-Sha1:
2c7050677d43ec262b3ed3939bf916343a0f78b7 3844 libheif_1.23.1-1.dsc
024ebe0237ce6763ee9cb6914c8b5758fea4e5a7 2071186 libheif_1.23.1.orig.tar.gz
2e90b56a9da321c2aa71fe95e3ad9c28ee114fd9 14164 libheif_1.23.1-1.debian.tar.xz
10c5f81bc05d3070b8f5bc4e2c9d99715354030d 16073
libheif_1.23.1-1_source.buildinfo
Checksums-Sha256:
a9c2ea49af68fb13ac57b167cef3325c655fbe66a6f6eba16c1acb6c262d1b25 3844
libheif_1.23.1-1.dsc
0de0327f60fcd47de90d5654c6fe152232738d60d84fe084ec3e0f35e03b166a 2071186
libheif_1.23.1.orig.tar.gz
e237289f23bc6607681843de81e9c19429ea5f1ca0f87b880658d08065179181 14164
libheif_1.23.1-1.debian.tar.xz
43757593befd4990c5cf23938c8ad095d39cd7a82aba66ce77df99d8e98602f5 16073
libheif_1.23.1-1_source.buildinfo
Files:
c2465f811363b299423e0dbbc54f4329 3844 libs - libheif_1.23.1-1.dsc
26fd31d0591ab927ef1a638de64cb2da 2071186 libs - libheif_1.23.1.orig.tar.gz
227331af19ee6fe6a3693f9b0576f227 14164 libs - libheif_1.23.1-1.debian.tar.xz
826d582d71db5905c7479b6be462e3f2 16073 libs - libheif_1.23.1-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEvj2K8Ga27IB5Zn/Xd8HSLVPhXwIFAmpEzGoACgkQd8HSLVPh
XwIoog//a96rtPwvHFvO2nAflCAKtD/YqrWohVnRQuNRnGN3lPRJNARpNrHvybw3
yOWOGhd8bse9H3Za9CoE7eh+0pCDoJRkvS6xvSgGRhRmawynavAudqpYkpepMXK4
Nraslqre/9HIgWZqaISpEH1gcid4v9xuTx153CWANn/TVV3NvT+4GqXIMyOWWGUZ
ZKCt3E3SMn14f2G99ySIXRLco+JyIWpQbjWm1r5hUlGrOY89RFmGSf2RjCvCl9Nw
XFtH2pxp0ieRmG2oF4FfePyDzJ79zqd11vAlk4NgAGtz2rwb+k65rkcZVRKbKWnt
c8avKwZFhAJ7+khORb38d1awkTW8ACbCCBQ1Vehlh1Jh37Yzw4kemPqTvaMxzO2+
KRwhdlRuNsG5/g1HyHXUR5p9rcjP36D4DWI9I/t9RmAvVKCp5yLXXHFUfyaDL5Wy
o9VFoWzu10cRBxP6N4i9LTgkEd9u5SeKZn/bnLZN0T65xDpjokbC/Ub99V5O0qqv
3zf8273ycYCHad0bZKqp1FCZLB1jG/sPEksfJ6rF0B5lCMDUR1uInmjJzfRDh3GU
bXkW4Jmft4IPzqwf3O8TwG1cm/XStSRobz5FGUAq3dkGhsR5SaWLnYz8fEWuqgIq
QMpSgAnjsqkWDKHG5qY48i2aKPnxJF7VjW+LAYvx3nF8dSSp/OU=
=0t56
-----END PGP SIGNATURE-----
pgpXfK4LZU87X.pgp
Description: PGP signature
--- End Message ---