Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
3.3
libheif Image Parser Allows Unwanted Data Access
CVE-2026-3949
Summary
A weakness in libheif, a library used to parse HEIF image files, can allow attackers to access data they shouldn't. This could happen if someone manipulates the size of an image file in a specific way. To stay safe, update libheif to the latest version or apply the available patch.
Original title
A vulnerability was determined in strukturag libheif up to 1.21.2. This affects the function vvdec_push_data2 of the file libheif/plugins/decoder_vvdec.cc of the component HEIF File Parser. Executi...
Original description
A vulnerability was determined in strukturag libheif up to 1.21.2. This affects the function vvdec_push_data2 of the file libheif/plugins/decoder_vvdec.cc of the component HEIF File Parser. Executing a manipulation of the argument size can lead to out-of-bounds read. The attack needs to be launched locally. The exploit has been publicly disclosed and may be utilized. This patch is called b97c8b5f198b27f375127cd597a35f2113544d03. It is advisable to implement a patch to correct this issue.
osv CVSS3.1
3.3
- https://vuldb.com/?ctiid.350381 URL
- https://vuldb.com/?id.350381 URL
- https://vuldb.com/?submit.765979 URL
- https://github.com/biniamf/pocs/tree/main/libheif_vvdec URL
- https://github.com/strukturag/libheif/ URL
- https://github.com/strukturag/libheif/issues/1712 Third Party Advisory
- https://github.com/strukturag/libheif/issues/1712#issuecomment-3947938531 Third Party Advisory
- https://github.com/strukturag/libheif/commit/b97c8b5f198b27f375127cd597a35f21135... Patch
Published: 11 Mar 2026 · Updated: 13 Mar 2026 · First seen: 13 Mar 2026