CVE-2026-32739
CVE-2026-32739 is a medium-severity vulnerability in Struktur Libheif with a CVSS 3.x base score of 6.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-835.
Key facts
- Severity: Medium (CVSS 3.x base score 6.5)
- EPSS exploit prediction: 0% (24th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-30975
- Weakness: CWE-835
- Affected product: Struktur Libheif
- Published:
- Last modified:
Description
libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and below, a crafted 800-byte HEIF sequence file causes an infinite loop in Box_stts::get_sample_duration(), consuming 100% CPU indefinitely with zero progress, leading to DoS. The loop has no iteration limit or timeout and is triggered during file open (parsing) - before any user interaction or image decoding. The process stays alive (no crash, no error logged), making it invisible to crash-based monitoring. This issue has been fixed in version 1.22.0.
Frequently asked questions
- What is CVE-2026-32739?
- libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and below, a crafted 800-byte HEIF sequence file causes an infinite loop in Box_stts::get_sample_duration(), consuming 100% CPU indefinitely with zero progress, leading to DoS. The loop has no iteration limit or timeout and is triggered during file open (parsing) - before any user interaction or image decoding. The process stays alive (no crash, no error logged), making it invisible to crash-based monitoring. This issue has been fixed in version 1.22.0.
- How severe is CVE-2026-32739?
- CVE-2026-32739 has a CVSS 3.x base score of 6.5, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is none, integrity none, and availability high.
- Is CVE-2026-32739 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (24th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2026-32739?
- CVE-2026-32739 affects Struktur Libheif. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2026-32739?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2026-32739 have an EU (EUVD) identifier?
- Yes. CVE-2026-32739 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-30975.
- When was CVE-2026-32739 published?
- CVE-2026-32739 was published on 2026-05-19 and last updated on 2026-06-17.
References
- https://github.com/strukturag/libheif/releases/tag/v1.22.0
- https://github.com/strukturag/libheif/security/advisories/GHSA-j9g7-q9hv-gq8c
Affected products (1)
- cpe:2.3:a:struktur:libheif:*:*:*:*:*:*:*:*
More vulnerabilities in Struktur Libheif
- CVE-2026-32740 — High (CVSS 8.8): libheif is a HEIF and AVIF file format decoder and encoder. Versions 1.21.2 and prior contain a heap-buffer-overflow…
- CVE-2023-49464 — High (CVSS 8.8): libheif v1.17.5 was discovered to contain a segmentation violation via the function…
- CVE-2023-49463 — High (CVSS 8.8): libheif v1.17.5 was discovered to contain a segmentation violation via the function find_exif_tag at /libheif/exif.cc.
- CVE-2023-49462 — High (CVSS 8.8): libheif v1.17.5 was discovered to contain a segmentation violation via the component /libheif/exif.cc.
- CVE-2023-49460 — High (CVSS 8.8): libheif v1.17.5 was discovered to contain a segmentation violation via the function…
- CVE-2020-19499 — High (CVSS 8.8): An issue was discovered in heif::Box_iref::get_references in libheif 1.4.0, allows attackers to cause a Denial of…
All CVEs affecting Struktur Libheif →
Other CWE-835 (Loop with Unreachable Exit Condition (Infinite Loop)) vulnerabilities
- CVE-2026-24816 — Critical (CVSS 10.0): Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in datavane tis…
- CVE-2018-20784 — Critical (CVSS 9.8): In the Linux kernel before 4.20.2, kernel/sched/fair.c mishandles leaf cfs_rq's, which allows attackers to cause a…
- CVE-2017-12997 — Critical (CVSS 9.8): The LLDP parser in tcpdump before 4.9.2 could enter an infinite loop due to a bug in…
- CVE-2017-12995 — Critical (CVSS 9.8): The DNS parser in tcpdump before 4.9.2 could enter an infinite loop due to a bug in print-domain.c:ns_print().
- CVE-2017-12990 — Critical (CVSS 9.8): The ISAKMP parser in tcpdump before 4.9.2 could enter an infinite loop due to bugs in print-isakmp.c, several functions.
- CVE-2026-31448 — Critical (CVSS 9.4): In the Linux kernel, the following vulnerability has been resolved: ext4: avoid infinite loops caused by residual…
Browse all CWE-835 (Loop with Unreachable Exit Condition (Infinite Loop)) vulnerabilities →