Beyond security

Language

CVE Vulnerabilities

Posts & Pages

No results found for ""

Try different keywords or check spelling

Search in CVE database, posts & pages • Press ESC to close

CVE-2025-68431

Medium

Low Medium High Critical

6.5

CVSS Score

Published: Dec 29, 2025

Last Modified: Dec 31, 2025

Vulnerability Description

libheif is an HEIF and AVIF file format decoder and encoder. Prior to version 1.21.0, a crafted HEIF that exercises the overlay image item path triggers a heap buffer over-read in `HeifPixelImage::overlay()`. The function computes a negative row length (likely from an unclipped overlay rectangle or invalid offsets), which then underflows when converted to `size_t` and is passed to `memcpy`, causing a very large read past the end of the source plane and a crash. Version 1.21.0 contains a patch. As a workaround, avoid decoding images using `iovl` overlay boxes.

CVSS Metrics

Common Vulnerability Scoring System

Vector String:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Attack Vector

N

Attack Complexity

L

Privileges Required

N

User Interaction

R

Scope

U

Confidentiality

N

Integrity

N

Availability

H

Available Security Patches

1 patch available from vendors

View All Patches

Canonical (Ubuntu)

USN-7952-1

USN-7952-1: libheif vulnerabilities

Severity

Unknown

Released

Jan 12, 2026

Security Update

View Details Vendor Page

Browse All Security Patches

References & Resources

Severity Details

6.5

out of 10.0

Medium

Key Information

Published Date: December 29, 2025

External Resources

NIST

National Vulnerability Database

Detailed vulnerability info

Official CVE record