Skip to main content

CISA alerts on libheif out-of-bounds flaw causing crashes

January 20, 2026

libheif’s uncompressed decoder contains an out-of-bounds memory access vulnerability that can be triggered by a maliciously crafted HEIF image and may cause applications using the library to crash, producing a Denial of Service (DoS) condition.

The issue is tracked as CVE-2025-65586 and represents an out-of-bounds iterator access in libheif’s uncompressed codec. The defect occurs when the decoder processes certain metadata structures in a HEIF file and fails to adequately validate values read from an internal metadata box before performing iterator arithmetic on the underlying data buffer, which can allow the decoder to read past the end of the input buffer and misinterpret unrelated memory as valid metadata, potentially causing a segmentation fault. The vulnerability was introduced in commit 6190b58f (October 3, 2024). Versions v1.19.0 through Versions 1.21.1 are affected by this vulnerbaility. The versions v1.17.6 and earlier are not affected. The issue was fixed in commit f4d9157 (November 5, 2025) and then merged to the version release 1.21.0 at the end of 2025. The problem was discovered through coverage-guided fuzzing using AddressSanitizer-instrumented builds of libheif and was reproducible across standard Linux development environments.

An attacker can exploit this vulnerability by supplying a maliciously crafted HEIF image, causing applications that use libheif to crash; based on current analysis, exploitation is limited to DoS conditions. Potential impacts include unexpected termination of applications that decode HEIF images, crashes in systems that automatically generate previews or thumbnails, and disruption of services that process untrusted HEIF content (e.g., browsers, email clients, photo management tools). There is no evidence at this time that this vulnerability can be used to achieve memory disclosure or arbitrary code execution.

Software vendors and developers using the libheif library are strongly encouraged to update to version 1.21.0 or later, which includes the fix for this vulnerability; end users should apply available software updates to ensure they are running a version of libheif that addresses this issue.

Vendors, developers, and end users are advised to install libheif version 1.21.0 or later and to apply any relevant software updates to replace affected releases with versions that contain the commit f4d9157 fix.