x/vulndb: potential Go vuln in github.com/strukturag/libheif: CVE-2025-43966

[GoVulnBot]

Advisory CVE-2025-43966 references a vulnerability in the following Go modules:

Module
github.com/strukturag/libheif

Description:
libheif before 1.19.6 has a NULL pointer dereference in ImageItem_iden in image-items/iden.cc.

References:

• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-43966
• FIX: strukturag/libheif@b385553
• WEB: strukturag/libheif@v1.19.5...v1.19.6

Cross references:

• github.com/strukturag/libheif appears in 4 other report(s):
  • data/excluded/GO-2023-1594.yaml (x/vulndb: potential Go vuln in github.com/strukturag/libheif: CVE-2023-0996 #1594) NOT_GO_CODE
  • data/excluded/GO-2023-1822.yaml (x/vulndb: potential Go vuln in github.com/strukturag/libheif: GHSA-22fx-6r9m-r8h9 #1822) NOT_GO_CODE
  • data/excluded/GO-2023-2389.yaml (x/vulndb: potential Go vuln in github.com/strukturag/libheif: CVE-2023-49463 #2389) NOT_GO_CODE
  • data/excluded/GO-2024-3202.yaml (x/vulndb: potential Go vuln in github.com/strukturag/libheif: CVE-2024-41311 #3202) NOT_GO_CODE

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/strukturag/libheif
      vulnerable_at: 1.19.7
summary: CVE-2025-43966 in github.com/strukturag/libheif
cves:
    - CVE-2025-43966
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-43966
    - fix: https://github.com/strukturag/libheif/commit/b38555387e4b5dcf036fe45b0c440aca19b7b69c
    - web: https://github.com/strukturag/libheif/compare/v1.19.5...v1.19.6
source:
    id: CVE-2025-43966
    created: 2025-04-21T01:01:15.471212181Z
review_status: UNREVIEWED

[thatnealpatel]

Patch is non-Go: strukturag/libheif@b385553