diff --git a/NEWS b/NEWS
index 7863b56edaa..7dc690d6758 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,9 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? ????, PHP 8.5.2
 
+- EXIF:
+  . Fixed bug GH-20631 (Integer underflow in exif HEIF parsing
+    when pos.size < 2). (Oblivionsage)
 
 18 Dec 2025, PHP 8.5.1
 
diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index d0c16413062..6ed86c88e56 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -4421,7 +4421,7 @@ static bool exif_scan_HEIF_header(image_info_type *ImageInfo, unsigned char *buf
 			if (exif_read_from_stream_file_looped(ImageInfo->infile, (char*)(data + remain), limit - remain) == limit - remain) {
 				exif_isobmff_parse_meta(data, data + limit, &pos);
 			}
-			if ((pos.size) &&
+			if ((pos.size >= 2) &&
 				(pos.size < ImageInfo->FileSize) &&
 				(ImageInfo->FileSize - pos.size >= pos.offset) &&
 				(php_stream_seek(ImageInfo->infile, pos.offset + 2, SEEK_SET) >= 0)) {
diff --git a/ext/exif/tests/heic_iloc_underflow.phpt b/ext/exif/tests/heic_iloc_underflow.phpt
new file mode 100644
index 00000000000..9dd1878b60d
--- /dev/null
+++ b/ext/exif/tests/heic_iloc_underflow.phpt
@@ -0,0 +1,19 @@
+--TEST--
+HEIC iloc extent_length underflow
+--EXTENSIONS--
+exif
+--FILE--
+<?php
+// Read valid HEIC file and patch iloc extent_length to 1
+$data = file_get_contents(__DIR__."/image029.heic");
+$data = substr_replace($data, "\x00\x00\x00\x01", 0x4f8, 4);
+file_put_contents(__DIR__."/heic_iloc_underflow.heic", $data);
+var_dump(exif_read_data(__DIR__."/heic_iloc_underflow.heic"));
+?>
+--CLEAN--
+<?php
+@unlink(__DIR__."/heic_iloc_underflow.heic");
+?>
+--EXPECTF--
+Warning: exif_read_data(heic_iloc_underflow.heic): Invalid HEIF file in %s on line %d
+bool(false)