CVE-2025-43966

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-43966
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-43966.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-43966
Downstream
Published
2025-04-21T00:15:33Z
Modified
2025-10-18T06:41:33.366406Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

libheif before 1.19.6 has a NULL pointer dereference in ImageItem_iden in image-items/iden.cc.

References

Affected packages

Git / github.com/strukturag/libheif

Affected ranges

Type
GIT
Repo
https://github.com/strukturag/libheif
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
b38555387e4b5dcf036fe45b0c440aca19b7b69c

Affected versions

v1.*

v1.0.0
v1.1.0
v1.10.0
v1.11.0
v1.12.0
v1.13.0
v1.14.0
v1.14.1
v1.14.2
v1.15.0
v1.15.1
v1.15.2
v1.16.0
v1.16.1
v1.16.2
v1.17.0
v1.17.1
v1.17.2
v1.17.3
v1.17.4
v1.17.5
v1.17.6
v1.18.0
v1.18.0-rc1
v1.18.1
v1.18.2
v1.19.0
v1.19.1
v1.19.2
v1.19.3
v1.19.4
v1.19.5
v1.2.0
v1.3.0
v1.3.1
v1.3.2
v1.4.0
v1.5.0
v1.5.1
v1.6.0
v1.6.1
v1.6.2
v1.7.0
v1.8.0
v1.9.0
v1.9.1

Database specific

vanir_signatures

[
    {
        "digest": {
            "function_hash": "269717084479094280050537529345027695674",
            "length": 337.0
        },
        "id": "CVE-2025-43966-2310b2ab",
        "source": "https://github.com/strukturag/libheif/commit/b38555387e4b5dcf036fe45b0c440aca19b7b69c",
        "signature_version": "v1",
        "deprecated": false,
        "target": {
            "function": "ImageItem_iden::get_coded_image_colorspace",
            "file": "libheif/image-items/iden.cc"
        },
        "signature_type": "Function"
    },
    {
        "digest": {
            "function_hash": "73400262617684692472488145310571118247",
            "length": 287.0
        },
        "id": "CVE-2025-43966-6460408e",
        "source": "https://github.com/strukturag/libheif/commit/b38555387e4b5dcf036fe45b0c440aca19b7b69c",
        "signature_version": "v1",
        "deprecated": false,
        "target": {
            "function": "ImageItem_iden::get_luma_bits_per_pixel",
            "file": "libheif/image-items/iden.cc"
        },
        "signature_type": "Function"
    },
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "131676103201306471806130574706157841610",
                "179948489598973545432845495664250200902",
                "134837350146989967343775479143370328580",
                "38192825437810321044206123030153190425",
                "262488337595101450353805553360839849476",
                "336125343482885578895042228135841635591",
                "146850395506571686878360893632357735214",
                "5874557714604434190241085640247481784",
                "262488337595101450353805553360839849476",
                "195793079070126330933160111978722492722",
                "35704977740866121937009211600555069368"
            ]
        },
        "id": "CVE-2025-43966-864d8e2a",
        "source": "https://github.com/strukturag/libheif/commit/b38555387e4b5dcf036fe45b0c440aca19b7b69c",
        "signature_version": "v1",
        "deprecated": false,
        "target": {
            "file": "libheif/image-items/iden.cc"
        },
        "signature_type": "Line"
    },
    {
        "digest": {
            "function_hash": "277278725406641131003980689168480540874",
            "length": 291.0
        },
        "id": "CVE-2025-43966-adfb64d3",
        "source": "https://github.com/strukturag/libheif/commit/b38555387e4b5dcf036fe45b0c440aca19b7b69c",
        "signature_version": "v1",
        "deprecated": false,
        "target": {
            "function": "ImageItem_iden::get_chroma_bits_per_pixel",
            "file": "libheif/image-items/iden.cc"
        },
        "signature_type": "Function"
    }
]