CVE-2025-68431
7.1
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
Exploitability: 2.8 / Impact: 4.2
Source: NVD
Description
libheif is an HEIF and AVIF file format decoder and encoder. Prior to version 1.21.0, a crafted HEIF that exercises the overlay image item path triggers a heap buffer over-read in `HeifPixelImage::overlay()`. The function computes a negative row length (likely from an unclipped overlay rectangle or invalid offsets), which then underflows when converted to `size_t` and is passed to `memcpy`, causing a very large read past the end of the source plane and a crash. Version 1.21.0 contains a patch. As a workaround, avoid decoding images using `iovl` overlay boxes.
Affected (1)
Related CWEs
CWE-125
Out-of-bounds Read
The product reads data past the end, or before the beginning, of the intended buffer.
CWE-190
Integer Overflow or Wraparound
The product performs a calculation that can
produce an integer overflow or wraparound when the logic
assumes that the resulting value will always be larger than
the original value. This occurs when an integer value is
incremented to a value that is too large to store in the
associated representation. When this occurs, the value may
become a very small or negative number.
References (3)
Source: security-advisories@github.com
Patch
Source: security-advisories@github.com
ProductRelease Notes
Source: security-advisories@github.com
ExploitPatchVendor Advisory
Timeline
No history available yet.