CVE-2025-68431

NameCVE-2025-68431
Descriptionlibheif is an HEIF and AVIF file format decoder and encoder. Prior to version 1.21.0, a crafted HEIF that exercises the overlay image item path triggers a heap buffer over-read in `HeifPixelImage::overlay()`. The function computes a negative row length (likely from an unclipped overlay rectangle or invalid offsets), which then underflows when converted to `size_t` and is passed to `memcpy`, causing a very large read past the end of the source plane and a crash. Version 1.21.0 contains a patch. As a workaround, avoid decoding images using `iovl` overlay boxes.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1124317

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libheif (PTS)bullseye1.11.0-1vulnerable
bullseye (security)1.11.0-1+deb11u2vulnerable
bookworm, bookworm (security)1.15.1-1+deb12u1vulnerable
trixie1.19.8-1vulnerable
forky, sid1.20.2-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libheifsource(unstable)(unfixed)1124317

Notes

[trixie] - libheif <no-dsa> (Minor issue)
[bookworm] - libheif <no-dsa> (Minor issue)
[bullseye] - libheif <postponed> (Minor issue, OOBR)
https://github.com/strukturag/libheif/security/advisories/GHSA-j87x-4gmq-cqfq
Fixed by: https://github.com/strukturag/libheif/commit/b8c12a7b70f46c9516711a988483bed377b78d46 (v1.21.0)
Search for package or bug name: Reporting problems