CVE-2024-41311 — Out-of-bounds Read in Libheif

CWE-125 — Out-of-bounds Read CWE-787 — Out-of-bounds Write5 documents5 sources

Severity

8.1HIGHNVD

EPSS

0.2%

top 58.24%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Struktur Libheif Debian Libheif Debian Linux

Timeline

PublishedOct 15

Latest updateOct 23

Description

In Libheif 1.17.6, insufficient checks in ImageOverlay::parse() decoding a heif file containing an overlay image with forged offsets can lead to an out-of-bounds read and write.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages3 packages

▶debiandebian/libheif< libheif 1.15.1-1+deb12u1 (bookworm)

▶Debianstruktur/libheif< 1.11.0-1+deb11u1+3

▶NVDstruktur/libheif1.17.6

Also affects: Debian Linux 11.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2024-41311: In Libheif 1↗2024-10-15

▶

GHSA

GHSA-mwf7-wfvq-vc32: In Libheif 1↗2024-10-15

▶

📋Vendor Advisories

Ubuntu

libheif vulnerability↗2024-10-23

▶

Debian

CVE-2024-41311: libheif - In Libheif 1.17.6, insufficient checks in ImageOverlay::parse() decoding a heif ...↗2024

▶