Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2025-68431
PUBLISHED
More InfoOfficial Page
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
View Known Exploited Vulnerability (KEV) details
Published At-29 Dec, 2025 | 19:09
Updated At-30 Dec, 2025 | 22:26
Rejected At-
▼CVE Numbering Authority (CNA)
libheif has Potential Heap Buffer Over-Read

libheif is an HEIF and AVIF file format decoder and encoder. Prior to version 1.21.0, a crafted HEIF that exercises the overlay image item path triggers a heap buffer over-read in `HeifPixelImage::overlay()`. The function computes a negative row length (likely from an unclipped overlay rectangle or invalid offsets), which then underflows when converted to `size_t` and is passed to `memcpy`, causing a very large read past the end of the source plane and a crash. Version 1.21.0 contains a patch. As a workaround, avoid decoding images using `iovl` overlay boxes.

Affected Products
Vendor
strukturag
Product
libheif
Versions
Affected
  • < 1.21.0
Problem Types
TypeCWE IDDescription
CWECWE-125CWE-125: Out-of-bounds Read
CWECWE-190CWE-190: Integer Overflow or Wraparound
Type: CWE
CWE ID: CWE-125
Description: CWE-125: Out-of-bounds Read
Type: CWE
CWE ID: CWE-190
Description: CWE-190: Integer Overflow or Wraparound
Metrics
VersionBase scoreBase severityVector
3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/strukturag/libheif/security/advisories/GHSA-j87x-4gmq-cqfq
x_refsource_CONFIRM
https://github.com/strukturag/libheif/commit/b8c12a7b70f46c9516711a988483bed377b78d46
x_refsource_MISC
https://github.com/strukturag/libheif/releases/tag/v1.21.0
x_refsource_MISC
Hyperlink: https://github.com/strukturag/libheif/security/advisories/GHSA-j87x-4gmq-cqfq
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/strukturag/libheif/commit/b8c12a7b70f46c9516711a988483bed377b78d46
Resource:
x_refsource_MISC
Hyperlink: https://github.com/strukturag/libheif/releases/tag/v1.21.0
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Details not found