CVE-2026-3949

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-3949
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-3949.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-3949
Downstream
Related
Published
2026-03-11T19:16:05.297Z
Modified
2026-04-30T14:00:41.285136Z
Severity
  • 3.3 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Summary
[none]
Details

A vulnerability was determined in strukturag libheif up to 1.21.2. This affects the function vvdecpushdata2 of the file libheif/plugins/decoder_vvdec.cc of the component HEIF File Parser. Executing a manipulation of the argument size can lead to out-of-bounds read. The attack needs to be launched locally. The exploit has been publicly disclosed and may be utilized. This patch is called b97c8b5f198b27f375127cd597a35f2113544d03. It is advisable to implement a patch to correct this issue.

References

Affected packages

Git / github.com/strukturag/libheif

Affected ranges

Type
GIT
Repo
https://github.com/strukturag/libheif
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
b97c8b5f198b27f375127cd597a35f2113544d03

Affected versions

v1.*
v1.1.0
v1.10.0
v1.11.0
v1.12.0
v1.13.0
v1.14.0
v1.14.1
v1.14.2
v1.15.0
v1.15.1
v1.15.2
v1.16.0
v1.16.1
v1.16.2
v1.17.0
v1.17.1
v1.17.2
v1.17.3
v1.17.4
v1.17.5
v1.17.6
v1.18.0
v1.18.0-rc1
v1.19.0
v1.19.1
v1.19.2
v1.19.3
v1.19.4
v1.19.5
v1.2.0
v1.20.0
v1.20.1
v1.21.0
v1.21.1
v1.21.2
v1.3.0
v1.3.1
v1.3.2
v1.7.0
v1.8.0
v1.9.0
v1.9.1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-3949.json"
vanir_signatures_modified 
"2026-04-30T14:00:41Z"
vanir_signatures 
[
    {
        "target": {
            "file": "libheif/plugins/decoder_vvdec.cc"
        },
        "id": "CVE-2026-3949-35acf889",
        "source": "https://github.com/strukturag/libheif/commit/b97c8b5f198b27f375127cd597a35f2113544d03",
        "signature_type": "Line",
        "deprecated": false,
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "241394016192530154728775493219794092134",
                "306070744995062561529607612816830400187",
                "222263289327577883699071857898995442826",
                "95113494202903003317628323001320890145",
                "306095758132309700395813887161949265853",
                "330046478980160121851119960901217415066",
                "291482973947041319417118209145053084229",
                "93434688375480901107547632780894131127"
            ]
        },
        "signature_version": "v1"
    },
    {
        "target": {
            "file": "libheif/plugins/decoder_vvdec.cc",
            "function": "vvdec_push_data2"
        },
        "id": "CVE-2026-3949-a4f33640",
        "source": "https://github.com/strukturag/libheif/commit/b97c8b5f198b27f375127cd597a35f2113544d03",
        "signature_type": "Function",
        "deprecated": false,
        "digest": {
            "length": 549.0,
            "function_hash": "125050619902725537773320484018886304502"
        },
        "signature_version": "v1"
    }
]