{"id":"CVE-2025-68431","summary":"libheif has Potential Heap Buffer Over-Read","details":"libheif is an HEIF and AVIF file format decoder and encoder. Prior to version 1.21.0, a crafted HEIF that exercises the overlay image item path triggers a heap buffer over-read in `HeifPixelImage::overlay()`. The function computes a negative row length (likely from an unclipped overlay rectangle or invalid offsets), which then underflows when converted to `size_t` and is passed to `memcpy`, causing a very large read past the end of the source plane and a crash. Version 1.21.0 contains a patch. As a workaround, avoid decoding images using `iovl` overlay boxes.","aliases":["GHSA-j87x-4gmq-cqfq"],"modified":"2026-04-12T19:16:14.186260Z","published":"2025-12-29T19:09:54.628Z","related":["SUSE-SU-2026:0087-1","SUSE-SU-2026:0377-1","SUSE-SU-2026:20121-1","openSUSE-SU-2026:10019-1","openSUSE-SU-2026:20076-1"],"database_specific":{"cwe_ids":["CWE-125","CWE-190"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68431.json"},"references":[{"type":"WEB","url":"https://github.com/strukturag/libheif/releases/tag/v1.21.0"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68431.json"},{"type":"ADVISORY","url":"https://github.com/strukturag/libheif/security/advisories/GHSA-j87x-4gmq-cqfq"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68431"},{"type":"FIX","url":"https://github.com/strukturag/libheif/commit/b8c12a7b70f46c9516711a988483bed377b78d46"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/strukturag/libheif","events":[{"introduced":"0"},{"fixed":"81b09baa38ac8654d34d0f8b7780c44addfc7893"}]}],"versions":["v1.1.0","v1.10.0","v1.11.0","v1.12.0","v1.13.0","v1.14.0","v1.14.1","v1.14.2","v1.15.0","v1.15.1","v1.15.2","v1.16.0","v1.16.1","v1.16.2","v1.17.0","v1.17.1","v1.17.2","v1.17.3","v1.17.4","v1.17.5","v1.17.6","v1.18.0","v1.18.0-rc1","v1.19.0","v1.19.1","v1.19.2","v1.19.3","v1.19.4","v1.19.5","v1.2.0","v1.20.0","v1.20.1","v1.3.0","v1.3.1","v1.3.2","v1.7.0","v1.8.0","v1.9.0","v1.9.1"],"database_specific":{"vanir_signatures_modified":"2026-04-12T19:16:14Z","vanir_signatures":[{"target":{"file":"libheif/api/libheif/heif_decoding.cc","function":"fill_default_decoding_options"},"signature_type":"Function","digest":{"length":940,"function_hash":"34356497781205006473252364979556906119"},"deprecated":false,"signature_version":"v1","id":"CVE-2025-68431-41f3b864","source":"https://github.com/strukturag/libheif/commit/81b09baa38ac8654d34d0f8b7780c44addfc7893"},{"target":{"file":"libheif/api/libheif/heif_decoding.cc","function":"heif_decoding_options_copy"},"signature_type":"Function","digest":{"length":1374,"function_hash":"329797198584329899104486683601108515964"},"deprecated":false,"signature_version":"v1","id":"CVE-2025-68431-4ec9870c","source":"https://github.com/strukturag/libheif/commit/81b09baa38ac8654d34d0f8b7780c44addfc7893"},{"target":{"file":"libheif/api/libheif/heif_decoding.cc"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["86989328228010646195824957620703865309","315748430350726531986735925707017146044","48195258588107620977743124844228928254","39329765749603303780335262745387807436","278674891859007306422493718580202199222","246737114233977316513938417832652467043","305193605705415212218217871446369761088","51058199956735957655386557920259163456","44218036590128212083565674600086656473","196590235662868324802423222985018305791","177174771090411233403604693192959750546","272346606380776608490083823624255834136","316203364162326920082443224420335411806","173998481382920159388264252056027936138","309796206102394975632185273807526561928","264961994815018702713207910196561053551","272640526741428161440284802322705573607","288262173295861768794265364273338310735","53705723303867008772075427526346244002"]},"deprecated":false,"signature_version":"v1","id":"CVE-2025-68431-8b16a428","source":"https://github.com/strukturag/libheif/commit/81b09baa38ac8654d34d0f8b7780c44addfc7893"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68431.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}]}