Debian Libheif vulnerabilities

CVE-2026-3950 [MEDIUM] CVE-2026-3950: libheif - A vulnerability was identified in strukturag libheif up to 1.21.2. This impacts ... A vulnerability was identified in strukturag libheif up to 1.21.2. This impacts the function Track::load of the file libheif/sequences/track.cc of the component stsz/stts. The manipulation leads to out-of-bounds read. The attack needs to be performed locally. The exploit is publicly available and might be used. Applying a patch is the recommended action to fix this

CVE-2026-3949 [MEDIUM] CVE-2026-3949: libheif - A vulnerability was determined in strukturag libheif up to 1.21.2. This affects ... A vulnerability was determined in strukturag libheif up to 1.21.2. This affects the function vvdec_push_data2 of the file libheif/plugins/decoder_vvdec.cc of the component HEIF File Parser. Executing a manipulation of the argument size can lead to out-of-bounds read. The attack needs to be launched locally. The exploit has been publicly disclosed and may be utilized

CVE-2025-68431 [MEDIUM] CVE-2025-68431: libheif - libheif is an HEIF and AVIF file format decoder and encoder. Prior to version 1.... libheif is an HEIF and AVIF file format decoder and encoder. Prior to version 1.21.0, a crafted HEIF that exercises the overlay image item path triggers a heap buffer over-read in `HeifPixelImage::overlay()`. The function computes a negative row length (likely from an unclipped overlay rectangle or invalid offsets), which then underflows when converted to `size_t`

CVE-2025-43966 [LOW] CVE-2025-43966: libheif - libheif before 1.19.6 has a NULL pointer dereference in ImageItem_iden in image-... libheif before 1.19.6 has a NULL pointer dereference in ImageItem_iden in image-items/iden.cc. Scope: local bookworm: resolved bullseye: resolved forky: resolved (fixed in 1.19.7-1) sid: resolved (fixed in 1.19.7-1) trixie: resolved (fixed in 1.19.7-1)

CVE-2025-43967 [LOW] CVE-2025-43967: libheif - libheif before 1.19.6 has a NULL pointer dereference in ImageItem_Grid::get_deco... libheif before 1.19.6 has a NULL pointer dereference in ImageItem_Grid::get_decoder in image-items/grid.cc because a grid image can reference a nonexistent image item. Scope: local bookworm: resolved bullseye: resolved forky: resolved (fixed in 1.19.7-1) sid: resolved (fixed in 1.19.7-1) trixie: resolved (fixed in 1.19.7-1)

CVE-2024-41311 [HIGH] CVE-2024-41311: libheif - In Libheif 1.17.6, insufficient checks in ImageOverlay::parse() decoding a heif ... In Libheif 1.17.6, insufficient checks in ImageOverlay::parse() decoding a heif file containing an overlay image with forged offsets can lead to an out-of-bounds read and write. Scope: local bookworm: resolved (fixed in 1.15.1-1+deb12u1) bullseye: resolved (fixed in 1.11.0-1+deb11u1) forky: resolved (fixed in 1.18.1-1) sid: resolved (fixed in 1.18.1-1) trixie: resol

CVE-2024-25269 [HIGH] CVE-2024-25269: libheif - libheif <= 1.17.6 contains a memory leak in the function JpegEncoder::Encode. Th... libheif <= 1.17.6 contains a memory leak in the function JpegEncoder::Encode. This flaw allows an attacker to cause a denial of service attack. Scope: local bookworm: open bullseye: open forky: resolved (fixed in 1.17.6-2) sid: resolved (fixed in 1.17.6-2) trixie: resolved (fixed in 1.17.6-2)

CVE-2023-0996 [HIGH] CVE-2023-0996: libheif - There is a vulnerability in the strided image data parsing code in the emscripte... There is a vulnerability in the strided image data parsing code in the emscripten wrapper for libheif. An attacker could exploit this through a crafted image file to cause a buffer overflow in linear memory during a memcpy call. Scope: local bookworm: resolved (fixed in 1.15.1-1) bullseye: resolved (fixed in 1.11.0-1+deb11u2) forky: resolved (fixed in 1.15.1-1) sid: r

CVE-2023-49462 [HIGH] CVE-2023-49462: libheif - libheif v1.17.5 was discovered to contain a segmentation violation via the compo... libheif v1.17.5 was discovered to contain a segmentation violation via the component /libheif/exif.cc. Scope: local bookworm: resolved (fixed in 1.15.1-1+deb12u1) bullseye: resolved forky: resolved (fixed in 1.17.6-1) sid: resolved (fixed in 1.17.6-1) trixie: resolved (fixed in 1.17.6-1)

CVE-2023-29659 [MEDIUM] CVE-2023-29659: libheif - A Segmentation fault caused by a floating point exception exists in libheif 1.15... A Segmentation fault caused by a floating point exception exists in libheif 1.15.1 using crafted heif images via the heif::Fraction::round() function in box.cc, which causes a denial of service. Scope: local bookworm: resolved (fixed in 1.15.1-1+deb12u1) bullseye: resolved (fixed in 1.11.0-1+deb11u2) forky: resolved (fixed in 1.16.2-1) sid: resolved (fixed in 1.16

CVE-2023-49464 [HIGH] CVE-2023-49464: libheif - libheif v1.17.5 was discovered to contain a segmentation violation via the funct... libheif v1.17.5 was discovered to contain a segmentation violation via the function UncompressedImageCodec::get_luma_bits_per_pixel_from_configuration_unci. Scope: local bookworm: resolved bullseye: resolved forky: resolved (fixed in 1.17.6-1) sid: resolved (fixed in 1.17.6-1) trixie: resolved (fixed in 1.17.6-1)

CVE-2023-49463 [HIGH] CVE-2023-49463: libheif - libheif v1.17.5 was discovered to contain a segmentation violation via the funct... libheif v1.17.5 was discovered to contain a segmentation violation via the function find_exif_tag at /libheif/exif.cc. Scope: local bookworm: open bullseye: open forky: resolved (fixed in 1.17.6-1) sid: resolved (fixed in 1.17.6-1) trixie: resolved (fixed in 1.17.6-1)

CVE-2023-49460 [HIGH] CVE-2023-49460: libheif - libheif v1.17.5 was discovered to contain a segmentation violation via the funct... libheif v1.17.5 was discovered to contain a segmentation violation via the function UncompressedImageCodec::decode_uncompressed_image. Scope: local bookworm: resolved bullseye: resolved forky: resolved (fixed in 1.17.6-1) sid: resolved (fixed in 1.17.6-1) trixie: resolved (fixed in 1.17.6-1)

CVE-2020-23109 [HIGH] CVE-2020-23109: libheif - Buffer overflow vulnerability in function convert_colorspace in heif_colorconver... Buffer overflow vulnerability in function convert_colorspace in heif_colorconversion.cc in libheif v1.6.2, allows attackers to cause a denial of service and disclose sensitive information, via a crafted HEIF file. Scope: local bookworm: resolved (fixed in 1.8.0-1) bullseye: resolved (fixed in 1.8.0-1) forky: resolved (fixed in 1.8.0-1) sid: resolved (fixed in 1.8.0-

CVE-2020-19499 [HIGH] CVE-2020-19499: libheif - An issue was discovered in heif::Box_iref::get_references in libheif 1.4.0, allo... An issue was discovered in heif::Box_iref::get_references in libheif 1.4.0, allows attackers to cause a Denial of Service or possibly other unspecified impact due to an invalid memory read. Scope: local bookworm: resolved (fixed in 1.5.0-1) bullseye: resolved (fixed in 1.5.0-1) forky: resolved (fixed in 1.5.0-1) sid: resolved (fixed in 1.5.0-1) trixie: resolved (fix

CVE-2020-19498 [HIGH] CVE-2020-19498: libheif - Floating point exception in function Fraction in libheif 1.4.0, allows attackers... Floating point exception in function Fraction in libheif 1.4.0, allows attackers to cause a Denial of Service or possibly other unspecified impacts. Scope: local bookworm: resolved (fixed in 1.5.0-1) bullseye: resolved (fixed in 1.5.0-1) forky: resolved (fixed in 1.5.0-1) sid: resolved (fixed in 1.5.0-1) trixie: resolved (fixed in 1.5.0-1)

CVE-2019-11471 [HIGH] CVE-2019-11471: libheif - libheif 1.4.0 has a use-after-free in heif::HeifContext::Image::set_alpha_channe... libheif 1.4.0 has a use-after-free in heif::HeifContext::Image::set_alpha_channel in heif_context.h because heif_context.cc mishandles references to non-existing alpha images. Scope: local bookworm: resolved (fixed in 1.3.2-2) bullseye: resolved (fixed in 1.3.2-2) forky: resolved (fixed in 1.3.2-2) sid: resolved (fixed in 1.3.2-2) trixie: resolved (fixed in 1.3.2-2)