CVE-2026-3949

CVSS v3.1

3.3

Low

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Name of the Vulnerable Software and Affected Versions strukturag libheif versions up to 1.21.2

Description A flaw exists in strukturag libheif that allows for an out-of-bounds read. The issue resides in the vvdec push data2 function within the libheif/plugins/decoder vvdec.cc file of the HEIF File Parser component. Manipulating the size argument can trigger the flaw. The attack requires local access. The exploit has been publicly disclosed.

Recommendations Implement patch b97c8b5f198b27f375127cd597a35f2113544d03 to correct this issue.

Exploit

Fix

Buffer Overflow

Out of bounds Read

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-119CWE-125

Related Identifiers

BDU:2026-05075

CVE-2026-3949

ECHO-335C-65C6-BCA4

OPENSUSE-SU-2026:10460-1

SUSE-SU-2026:1660-1

Affected Products

Libheif

CVE-2026-3949

Weakness Enumeration

Related Identifiers

Affected Products

References · 19