PUBLIC MIRROR A read-only public view of Anvil. Only publicly-disclosed findings are shown; the Playbook, techniques, sessions and embargoed research are hidden.

← Targets

📖 libheif

paused vmaster @ 78638f4f (2026-05-03, ~1.21.2-era dev commit; NOTE: this is the campaign commit, NOT the v1.21.2 release tag 62f1b8c7 — the checkout is a grafted/shallow clone) github.com/strukturag/libheif owner: ariel
32%
Research headroom
19/20
Modules examined
7 · 1 CVE
Findings

Research map

Every module of the codebase — size and color it by attack surface, findings, or coverage, switch to the list / files view, and click a module to inspect its findings.

Where to look next

The platform ranks the highest-value modules and techniques to try next.

🔒 Next moves — internal

Per-module leads, untried techniques and the recommended sweep are part of the internal platform.

Disclosed findings (7, 1 CVE)

More vulnerabilities will appear here as they are patched and publicly disclosed.

ID Title Class Severity Evidence Status CVE Discovered
LIBHEIF-0007 Uncompressed encoder: heap OOB write in rgb_block_pixel_interleave for RRGGBB images with bit-depth <= 8 oob-write medium ✓ disclosure verified 2026-06-21
LIBHEIF-0008 Color conversion: heap OOB read converting odd-dimension uncompressed 4:2:0 (decoder floor-allocates chroma; multiple ceil-assuming conversion sinks incl. the common 4:2:0→RGB path) oob-read medium ✓ real app verified 2026-06-21
LIBHEIF-0010 Image sequences: unbounded allocation reading a sample (append_data_from_file_range ignores security limits) → memory-exhaustion DoS dos medium harness harness-verified 2026-06-21
LIBHEIF-0009 VVC decode glue: reachable assert(false) in parse_sps_for_vvcC_configuration on crafted SPS (gci/subpic TODO paths) dos low harness harness-verified 2026-06-21
LIBHEIF-0004 JPEG decoder plugin: memory leak on longjmp past jpeg_finish_decompress dos low ✓ public API verified 2026-05-04
LIBHEIF-0001 Grid NULL-pointer dereference in decode_grid_tile on missing tile reference dos medium ✓ disclosure verified 2026-05-03
LIBHEIF-0002 Grid uint32 underflow → heap out-of-bounds read in decode_grid_tile oob-read high ✓ disclosure patched CVE-2026-48029 2026-05-03
Attack surface & downstream impact

Attack surface

ISO-BMFF box parsing (ftyp/meta/iinf/iref/iloc/iprp/ipco/ipma)derived images (grid/overlay/iden/tiled/mask)per-tile decode API (heif_image_handle_decode_image_tile)metadata & properties (Exif/XMP/ICC/nclx/clap/irot)image sequences (tracks)codec bitstream glue (HEVC/AV1/AVC/JPEG/JPEG2000/VVC)uncompressed codec (ISO/IEC 23001-17)color conversionencoder paths

Downstream impact

Web browsers decoding HEIC via a libheif backendGNOME image viewers (gdk-pixbuf libheif loader)KDE Gwenview / digiKam / KritaImageMagick / GraphicsMagick (libheif delegate)libvips and server-side image-processing pipelinesAndroid apps bundling libheif
Disclosure timeline (3)
FindingReportedVendor ackPublicPatched in
LIBHEIF-0001 2026-05-03 2026-05-18 2026-05-19 1.22.0
LIBHEIF-0002 2026-05-03 2026-05-18 2026-05-19 1.22.0
LIBHEIF-0007 2026-06-23