Bug 2490846 (CVE-2026-49271) - CVE-2026-49271 libheif: libheif: Denial of Service via crafted HEIF file due to integer wrap-around
Summary: CVE-2026-49271 libheif: libheif: Denial of Service via crafted HEIF file due ...
Keywords:
Status: NEW
Alias: CVE-2026-49271
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2494766 2494767
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-19 18:01 UTC by OSIDB Bzimport
Modified: 2026-06-30 06:41 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-19 18:01:30 UTC
libheif is a HEIF and AVIF file format decoder and encoder. Prior to version 1.22.1, the uncompressed HEIF decoder validates explicit icef compressed-unit offsets using unit_offset + unit_size. Because the addition can wrap, a crafted HEIF file can pass the range check and then construct a vector from iterators outside the compressed item buffer, producing an out-of-bounds heap read and crash. Version 1.22.1 patches the issue.


Note You need to log in before you can comment on or make changes to this bug.