CVE-2025-68431

libheif is an HEIF and AVIF file format decoder and encoder. Prior to version 1.21.0, a crafted HEIF that exercises the overlay image item path triggers a heap buffer over-read in HeifPixelImage::overlay(). The function computes a negative row length (likely from an unclipped overlay rectangle or invalid offsets), which then underflows when converted to size_t and is passed to memcpy, causing a very large read past the end of the source plane and a crash. Version 1.21.0 contains a patch. As a workaround, avoid decoding images using iovl overlay boxes.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68431.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-125",
        "CWE-190"
    ]
}

References

Affected packages

Git / github.com/strukturag/libheif

Affected ranges

Type

GIT

Repo

https://github.com/strukturag/libheif

Events

Introduced

Fixed

81b09baa38ac8654d34d0f8b7780c44addfc7893

Fixed

b8c12a7b70f46c9516711a988483bed377b78d46

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.21.0"
        }
    ]
}

Affected versions

v1.*

v1.1.0

v1.10.0

v1.11.0

v1.12.0

v1.13.0

v1.14.0

v1.14.1

v1.14.2

v1.15.0

v1.15.1

v1.15.2

v1.16.0

v1.16.1

v1.16.2

v1.17.0

v1.17.1

v1.17.2

v1.17.3

v1.17.4

v1.17.5

v1.17.6

v1.18.0

v1.18.0-rc1

v1.19.0

v1.19.1

v1.19.2

v1.19.3

v1.19.4

v1.19.5

v1.2.0

v1.20.0

v1.20.1

v1.3.0

v1.3.1

v1.3.2

v1.7.0

v1.8.0

v1.9.0

v1.9.1

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-68431.json"