{"id":"JLSEC-2026-156","details":"libheif is an HEIF and AVIF file format decoder and encoder. Prior to version 1.21.0, a crafted HEIF that exercises the overlay image item path triggers a heap buffer over-read in `HeifPixelImage::overlay()`. The function computes a negative row length (likely from an unclipped overlay rectangle or invalid offsets), which then underflows when converted to `size_t` and is passed to `memcpy`, causing a very large read past the end of the source plane and a crash. Version 1.21.0 contains a patch. As a workaround, avoid decoding images using `iovl` overlay boxes.","modified":"2026-04-20T18:45:06.252510Z","published":"2026-04-20T18:41:44.911Z","upstream":["CVE-2025-68431","EUVD-2025-205646"],"database_specific":{"sources":[{"url":"https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2025-68431","modified":"2026-02-25T14:53:34.747Z","imported":"2026-04-20T18:31:44.643Z","html_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68431","database_specific":{"status":"Analyzed"},"published":"2025-12-29T19:15:56.933Z","id":"CVE-2025-68431"},{"url":"https://euvdservices.enisa.europa.eu/api/enisaid?id=EUVD-2025-205646","modified":"2025-12-30T22:26:20Z","imported":"2026-04-20T18:31:46.459Z","html_url":"https://euvd.enisa.europa.eu/vulnerability/EUVD-2025-205646","published":"2025-12-29T19:09:54Z","id":"EUVD-2025-205646"}],"license":"CC-BY-4.0"},"references":[{"type":"WEB","url":"https://github.com/strukturag/libheif/commit/b8c12a7b70f46c9516711a988483bed377b78d46"},{"type":"WEB","url":"https://github.com/strukturag/libheif/releases/tag/v1.21.0"},{"type":"WEB","url":"https://github.com/strukturag/libheif/security/advisories/GHSA-j87x-4gmq-cqfq"}],"affected":[{"package":{"name":"libheif_jll","ecosystem":"Julia","purl":"pkg:julia/libheif_jll?uuid=a13778fd-9a17-58b4-b5a0-4b4a242815a9"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.21.2000+0"}]}],"database_specific":{"source":"https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2026/JLSEC-2026-156.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}]}