Description
A vulnerability was determined in strukturag libheif up to 1.21.2. This affects the function vvdec_push_data2 of the file libheif/plugins/decoder_vvdec.cc of the component HEIF File Parser. Executing a manipulation of the argument size can lead to out-of-bounds read. The attack needs to be launched locally. The exploit has been publicly disclosed and may be utilized. This patch is called b97c8b5f198b27f375127cd597a35f2113544d03. It is advisable to implement a patch to correct this issue.
Published: 2026-03-11
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Apply Patch
AI Analysis

Impact

The vulnerability is an out‑of‑bounds read in the vvdec_push_data2 function of the HEIF File Parser component in libheif. An attacker manipulating the size argument can cause the function to read memory beyond the intended bounds, potentially exposing sensitive data. The weakness is categorized as CWE‑119, CWE‑125, and CWE‑805. No code execution or denial of service is reported; the primary impact is information disclosure when the library processes a crafted HEIF file.

Affected Systems

This flaw exists in strukturag libheif versions up to 1.21.2, affecting the decoder_vvdec.cc source file. The vulnerable code path resides in the HEIF File Parser plugin. Systems running any of these versions that accept HEIF images from untrusted sources are susceptible.

Risk and Exploitability

The CVSS score is 4.8, indicating moderate severity, while the EPSS score is below 1 %, suggesting a low probability of widespread exploitation. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires local execution; the attacker must run code on the target system or supply a malicious HEIF file that the local user or application processes. Public proof‑of‑concepts exist on GitHub, confirming that the flaw can be exercised in practice. Although the risk is limited to environments that process untrusted HEIF files locally, the impact of information leakage warrants prompt remediation.

Generated by OpenCVE AI on March 17, 2026 at 16:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest patch (commit b97c8b5f198b27f375127cd597a35f2113544d03) to libheif to correct the vvdec_push_data2 out-of-bounds read.
  • Upgrade libheif to version 1.21.3 or later if available.
  • Ensure that HEIF files are only processed from trusted sources or isolated in a sandboxed environment.

Generated by OpenCVE AI on March 17, 2026 at 16:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-805
References
Metrics threat_severity

None

 threat_severity

Low

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Struktur
Struktur libheif
Vendors & Products Struktur
Struktur libheif

Wed, 11 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in strukturag libheif up to 1.21.2. This affects the function vvdec_push_data2 of the file libheif/plugins/decoder_vvdec.cc of the component HEIF File Parser. Executing a manipulation of the argument size can lead to out-of-bounds read. The attack needs to be launched locally. The exploit has been publicly disclosed and may be utilized. This patch is called b97c8b5f198b27f375127cd597a35f2113544d03. It is advisable to implement a patch to correct this issue.
Title strukturag libheif HEIF File decoder_vvdec.cc vvdec_push_data2 out-of-bounds
Weaknesses CWE-119
CWE-125
References
Metrics cvssV2_0

{'score': 1.7, 'vector': 'AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 3.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Struktur Libheif
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-11T19:38:00.870Z

Reserved: 2026-03-11T11:59:39.639Z

Link: CVE-2026-3949

cve-icon Vulnrichment

Updated: 2026-03-11T19:37:53.692Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-11T19:16:05.297

Modified: 2026-03-12T21:08:22.643

Link: CVE-2026-3949

cve-icon Redhat

Severity : Low

Publid Date: 2026-03-11T18:32:09Z

Links: CVE-2026-3949 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:29:34Z

Weaknesses