An out-of-bounds memory access vulnerability exists in the uncompressed decoder component of libheif. A maliciously crafted HEIF image can trigger a denial-of-service condition by causing the libheif library to crash or exhibit other unexpected behavior due to an out-of-bounds memory access.
libheif is an open-source library used for decoding and encoding modern image formats, including HEIF (High Efficiency Image File Format) and AVIF (AV1 Image File Format). These formats provide high compression efficiency and are widely used across mobile devices and online platforms.
libheif contains an out-of-bounds iterator access vulnerability in its uncompressed codec. The issue occurs when the decoder processes certain metadata structures within a HEIF file. Specifically, the decoder fails to adequately validate values read from an internal metadata box before performing iterator arithmetic on the underlying data buffer.
As a result, a malformed HEIF file can cause the decoder to read past the end of the input buffer and incorrectly interpret unrelated memory as valid metadata. This invalid memory access may lead to a segmentation fault during image decoding.
The CVE-2025-65586 captures this out-of-bounds checking flaw in libheifβs uncompressed codec that allows a maliciously crafted HEIF file to trigger an out-of-bounds read, resulting in a segmentation fault and denial of service when the file is parsed. The vulnerability was introduced in commit 6190b58f (October 3, 2024). Versions v1.19.0 through Versions 1.20.2 are affected by this vulnerbaility. The versions v1.17.6 and earlier are not affected. The issue was reported to the libheif project and has been fixed in commit f4d9157 (November 5, 2025) and then merged to the version release 1.21.0 at the end of 2025.
An attacker can exploit this vulnerability by supplying a maliciously crafted HEIF image, causing applications that use libheif to crash. Based on current analysis, exploitation is limited to denial-of-service conditions.
Potential impacts include
There is no evidence at this time that this vulnerability can be used to achieve memory disclosure or arbitrary code execution.
The vulnerability was discovered through coverage-guided fuzzing using AddressSanitizer-instrumented builds of libheif. The issue was reproducible across standard Linux development environments.
Software vendors and developers using the libheif library are strongly encouraged to update to version 1.21.0 or later, which includes the fix for this vulnerability. End users should apply available software updates to ensure they are running a version of libheif that addresses this issue.
Thanks to the reporter Maor Caplan for identifying the vulnerability and to Dirk Farin for implementing the fix. This document was written by Timur Snoke.
| CVE IDs: | CVE-2025-65586 |
| Date Public: | 2026-01-20 |
| Date First Published: | 2026-01-20 |
| Date Last Updated: | 2026-01-27 17:39 UTC |
| Document Revision: | 4 |
The binary-parser library for Node.js contains a code injection vulnerability that may allow arbitrary JavaScript code execution if untrusted input is used to construct parser definitions. Versions prior to 2.3.0 are affected. The issue has been resolved by the developer in a public update.
binary-parser is a JavaScript library to facilitate writing "efficient binary parsers in a simple and declarative manner." binary-parser (versions < 2.3.0) dynamically generates JavaScript code at runtime using the Function constructor. Certain user-supplied valuesβspecifically, parser field names and encoding parametersβare incorporated into this generated code without validation or sanitization.
If an application passes untrusted or externally supplied data into these parameters, the unsanitized values can alter the generated code, enabling execution of attacker-controlled JavaScript. Applications that use only static, hardcoded parser definitions are not affected.
The vendor has released a fix and clarified the libraryβs design limitations in version 2.3.0.
In affected applications that construct parser definitions using untrusted input, an attacker may be able to execute arbitrary JavaScript code with the privileges of the Node.js process. This could allow access to local data, manipulation of application logic, or execution of system commands depending on the deployment environment.
Users of the binary-parser library should upgrade to version 2.3.0 or later, where the vendor has implemented input validation and mitigations for unsafe code generation. Developers should avoid passing untrusted or user-controlled values into parser field names or encoding parameters.
Thanks to the reporter Maor Caplan for identifying the vulnerability and to Keichi Takahashi for implementing the fix. This document was written by Timur Snoke.
| CVE IDs: | CVE-2026-1245 |
| Date Public: | 2026-01-20 |
| Date First Published: | 2026-01-20 |
| Date Last Updated: | 2026-01-21 17:34 UTC |
| Document Revision: | 2 |
Login