CVE-2026-3949

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-3949
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-3949.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-3949
Downstream
Published
2026-03-11T19:16:05.297Z
Modified
2026-03-15T14:50:12.704659Z
Severity
  • 3.3 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Summary
[none]
Details

A vulnerability was determined in strukturag libheif up to 1.21.2. This affects the function vvdecpushdata2 of the file libheif/plugins/decoder_vvdec.cc of the component HEIF File Parser. Executing a manipulation of the argument size can lead to out-of-bounds read. The attack needs to be launched locally. The exploit has been publicly disclosed and may be utilized. This patch is called b97c8b5f198b27f375127cd597a35f2113544d03. It is advisable to implement a patch to correct this issue.

References

Affected packages

Git / github.com/strukturag/libheif

Affected ranges

Type
GIT
Repo
https://github.com/strukturag/libheif
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
b97c8b5f198b27f375127cd597a35f2113544d03

Affected versions

v1.*
v1.0.0
v1.1.0
v1.10.0
v1.11.0
v1.12.0
v1.13.0
v1.14.0
v1.14.1
v1.14.2
v1.15.0
v1.15.1
v1.15.2
v1.16.0
v1.16.1
v1.16.2
v1.17.0
v1.17.1
v1.17.2
v1.17.3
v1.17.4
v1.17.5
v1.17.6
v1.18.0
v1.18.0-rc1
v1.18.1
v1.18.2
v1.19.0
v1.19.1
v1.19.2
v1.19.3
v1.19.4
v1.19.5
v1.19.6
v1.19.7
v1.19.8
v1.2.0
v1.20.0
v1.20.1
v1.21.0
v1.21.1
v1.21.2
v1.3.0
v1.3.1
v1.3.2
v1.4.0
v1.5.0
v1.5.1
v1.6.0
v1.6.1
v1.6.2
v1.7.0
v1.8.0
v1.9.0
v1.9.1

Database specific

vanir_signatures 
[
    {
        "id": "CVE-2026-3949-35acf889",
        "signature_type": "Line",
        "target": {
            "file": "libheif/plugins/decoder_vvdec.cc"
        },
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "241394016192530154728775493219794092134",
                "306070744995062561529607612816830400187",
                "222263289327577883699071857898995442826",
                "95113494202903003317628323001320890145",
                "306095758132309700395813887161949265853",
                "330046478980160121851119960901217415066",
                "291482973947041319417118209145053084229",
                "93434688375480901107547632780894131127"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "source": "https://github.com/strukturag/libheif/commit/b97c8b5f198b27f375127cd597a35f2113544d03"
    },
    {
        "id": "CVE-2026-3949-a4f33640",
        "signature_type": "Function",
        "target": {
            "file": "libheif/plugins/decoder_vvdec.cc",
            "function": "vvdec_push_data2"
        },
        "deprecated": false,
        "digest": {
            "function_hash": "125050619902725537773320484018886304502",
            "length": 549.0
        },
        "signature_version": "v1",
        "source": "https://github.com/strukturag/libheif/commit/b97c8b5f198b27f375127cd597a35f2113544d03"
    }
]
source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-3949.json"