Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.8
libheif: Local data corruption when parsing HEIF files
CVE-2026-3949
Summary
A security issue in libheif's HEIF file parser can cause data corruption if an attacker manipulates certain file inputs. This can only happen on the same system as the attacker, so local network access is required. To protect your system, update libheif to the latest version.
Original title
A vulnerability was determined in strukturag libheif up to 1.21.2. This affects the function vvdec_push_data2 of the file libheif/plugins/decoder_vvdec.cc of the component HEIF File Parser. Executi...
Original description
A vulnerability was determined in strukturag libheif up to 1.21.2. This affects the function vvdec_push_data2 of the file libheif/plugins/decoder_vvdec.cc of the component HEIF File Parser. Executing a manipulation of the argument size can lead to out-of-bounds read. The attack needs to be launched locally. The exploit has been publicly disclosed and may be utilized. This patch is called b97c8b5f198b27f375127cd597a35f2113544d03. It is advisable to implement a patch to correct this issue.
nvd CVSS2.0
1.7
nvd CVSS3.1
3.3
nvd CVSS4.0
4.8
Vulnerability type
CWE-119
Buffer Overflow
CWE-125
Out-of-bounds Read
- https://github.com/biniamf/pocs/tree/main/libheif_vvdec
- https://github.com/strukturag/libheif/
- https://github.com/strukturag/libheif/commit/b97c8b5f198b27f375127cd597a35f21135...
- https://github.com/strukturag/libheif/issues/1712
- https://github.com/strukturag/libheif/issues/1712#issuecomment-3947938531
- https://vuldb.com/?ctiid.350381
- https://vuldb.com/?id.350381
- https://vuldb.com/?submit.765979
Published: 11 Mar 2026 · Updated: 13 Mar 2026 · First seen: 11 Mar 2026