CVE-2026-32814

Name of the Vulnerable Software and Affected Versions libheif versions prior to 1.22.0

Description When decoding a HEIF grid image with strict decoding set to false (the default), a corrupted tile may fail to decode silently. The library returns heif error Ok without indicating failure, resulting in an uninitialized heap memory information leak. This occurs because the canvas is allocated via create clone image at new size() → plane.alloc() → new (std::nothrow) uint8 t[allocation size], which does not zero the memory. While the alpha plane is initialized via fill plane(), the Y, Cb, and Cr planes retain previous heap data. Consequently, the failed tile's region contains uninitialized heap data delivered to the caller as decoded pixel values, totaling over 12,288 bytes. In server-side processing, a crafted .heic or .avif file can leak sensitive cross-user data, such as authentication tokens or database results, when the image is decoded and re-encoded for thumbnails or CDNs.

Recommendations Update to version 1.22.0.