CVE-2026-32814: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in strukturag libheif
CVE-2026-32814 is a vulnerability in libheif versions 1. 21. 2 and earlier where decoding a HEIF grid image with default settings can leak uninitialized heap memory. When a corrupted tile fails to decode, the library returns success without indicating failure, causing uninitialized memory from the Y, Cb, and Cr planes to be included in the decoded image. This can lead to sensitive information exposure if the decoded image is processed or re-encoded by applications. The issue is fixed in libheif version 1. 22. 0.
AI Analysis
Technical Summary
libheif, a HEIF and AVIF image decoder/encoder, in versions prior to 1.22.0, has a vulnerability where decoding a HEIF grid image with strict_decoding=false (default) and a corrupted tile results in silent failure to decode that tile. The library returns heif_error_Ok without signaling the failure, leading to uninitialized heap memory being included in the decoded pixel data for the Y, Cb, and Cr planes. This memory leak can expose sensitive data such as authentication tokens or other users' image data when the decoded image is further processed or re-encoded. The vulnerability is addressed in version 1.22.0.
Potential Impact
Applications using libheif to decode grid-based HEIF or AVIF images with default settings may unintentionally expose uninitialized heap memory as pixel data. This can result in leakage of sensitive information including authentication tokens, database results, or other users' image data, especially in server-side image processing scenarios where images are uploaded, decoded, and re-encoded for thumbnails or content delivery. The vulnerability does not affect integrity or availability but poses a confidentiality risk.
Mitigation Recommendations
This vulnerability has been fixed in libheif version 1.22.0. Users and developers should upgrade to version 1.22.0 or later to remediate this issue. Until upgraded, avoid processing untrusted HEIF/AVIF grid images with libheif using default decoding settings. Patch status is not explicitly stated beyond the fix in 1.22.0; check the vendor's official advisory for the latest remediation guidance.
CVE-2026-32814: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in strukturag libheif
Description
CVE-2026-32814 is a vulnerability in libheif versions 1. 21. 2 and earlier where decoding a HEIF grid image with default settings can leak uninitialized heap memory. When a corrupted tile fails to decode, the library returns success without indicating failure, causing uninitialized memory from the Y, Cb, and Cr planes to be included in the decoded image. This can lead to sensitive information exposure if the decoded image is processed or re-encoded by applications. The issue is fixed in libheif version 1. 22. 0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
libheif, a HEIF and AVIF image decoder/encoder, in versions prior to 1.22.0, has a vulnerability where decoding a HEIF grid image with strict_decoding=false (default) and a corrupted tile results in silent failure to decode that tile. The library returns heif_error_Ok without signaling the failure, leading to uninitialized heap memory being included in the decoded pixel data for the Y, Cb, and Cr planes. This memory leak can expose sensitive data such as authentication tokens or other users' image data when the decoded image is further processed or re-encoded. The vulnerability is addressed in version 1.22.0.
Potential Impact
Applications using libheif to decode grid-based HEIF or AVIF images with default settings may unintentionally expose uninitialized heap memory as pixel data. This can result in leakage of sensitive information including authentication tokens, database results, or other users' image data, especially in server-side image processing scenarios where images are uploaded, decoded, and re-encoded for thumbnails or content delivery. The vulnerability does not affect integrity or availability but poses a confidentiality risk.
Mitigation Recommendations
This vulnerability has been fixed in libheif version 1.22.0. Users and developers should upgrade to version 1.22.0 or later to remediate this issue. Until upgraded, avoid processing untrusted HEIF/AVIF grid images with libheif using default decoding settings. Patch status is not explicitly stated beyond the fix in 1.22.0; check the vendor's official advisory for the latest remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-16T17:35:36.696Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a0cc91dba1db47362ec07cb
Added to database: 5/19/2026, 8:33:33 PM
Last enriched: 5/19/2026, 8:48:54 PM
Last updated: 5/19/2026, 9:34:22 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.