Out-of-bounds Read Affecting libheif-debuginfo package, versions <0:1.19.8-1.amzn2023.0.5


Severity

Recommended
0.0
high
0
10

Based on Amazon Linux security rating.

Threat Intelligence

EPSS
0.32% (25th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-AMZN2023-LIBHEIFDEBUGINFO-17291083
  • published10 Jun 2026
  • disclosed19 May 2026

Introduced: 19 May 2026

CVE-2026-32882  (opens in a new tab)
CWE-125  (opens in a new tab)

How to fix?

Upgrade Amazon-Linux:2023 libheif-debuginfo to version 0:1.19.8-1.amzn2023.0.5 or higher.
This issue was patched in ALAS2023-2026-1814.

NVD Description

Note: Versions mentioned in the description apply only to the upstream libheif-debuginfo package and not the libheif-debuginfo package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2023 relevant fixed versions and status.

libheif is a HEIF and AVIF file format decoder and encoder. Versions 1.21.2 and prior contain a heap buffer over-read in HeifPixelImage::overlay() in libheif/pixelimage.cc. When compositing an overlay image (iovl) whose child image has a different bit depth for the alpha channel than for the color channels, the function indexes into the alpha plane using the color channel stride (in_stride) instead of the previously retrieved alpha_stride, causing reads past the end of the alpha buffer (up to 3,123 bytes for a 100×50 image with 10-bit color and 8-bit alpha). A crafted HEIF file can exploit this to cause a denial of service (crash) or potentially disclose adjacent heap memory through leaked bytes embedded in the decoded output pixels. This issue has been fixed in versionThis issue has been fixed in version 1.22.0.

CVSS Base Scores

version 3.1