CVE-2026-32739

Name of the Vulnerable Software and Affected Versions libheif versions prior to 1.22.0

Description An issue in the HEIF and AVIF file format decoder and encoder allows a specially crafted 800-byte HEIF sequence file to trigger an infinite loop in the Box stts::get sample duration() function. This occurs during the file parsing stage upon opening the file, before any user interaction or image decoding takes place. The loop lacks an iteration limit or timeout, resulting in 100% CPU consumption and a Denial of Service (DoS) condition. Because the process remains active without crashing or logging errors, the issue may remain undetected by crash-based monitoring systems.

Recommendations Update to version 1.22.0.