CVE-2026-32882

Name of the Vulnerable Software and Affected Versions libheif versions prior to 1.22.0

Description A heap buffer over-read exists in the HeifPixelImage::overlay() function within libheif/pixelimage.cc. This occurs when compositing an overlay image where the child image uses a different bit depth for the alpha channel compared to the color channels. The function incorrectly uses the color channel stride in stride instead of the alpha stride to index the alpha plane, leading to reads beyond the alpha buffer. A specially crafted HEIF file can trigger this issue, resulting in a denial of service via a crash or the potential disclosure of adjacent heap memory through leaked bytes in the decoded output pixels.

Recommendations Update to version 1.22.0.