CVE-2026-3950 - Vulnerability Details

- strukturag libheif stsz/stts track.cc load out-of-bounds

Description

A vulnerability was identified in strukturag libheif up to 1.21.2. This impacts the function Track::load of the file libheif/sequences/track.cc of the component stsz/stts. The manipulation leads to out-of-bounds read. The attack needs to be performed locally. The exploit is publicly available and might be used. Applying a patch is the recommended action to fix this issue. The patch available is inofficial and not approved yet.

Published: 2026-03-11

Score: 4.8 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A vulnerability was discovered in libheif versions up to 1.21.2 that allows a local attacker to supply a specially crafted HEIF file that triggers an out-of-bounds read in the Track::load function of libheif/sequences/track.cc. The exploitation can expose memory contents or cause a crash, which may lead to information disclosure. The weakness corresponds to CWE-119 and CWE-125.

Affected Systems

The affected product is strukturag:libheif up to version 1.21.2. The bug resides in the stsz/stts track loader of the library, and any installation of libheif in this version range is vulnerable.

Risk and Exploitability

The CVSS score is 4.8, indicating a low‑severity risk, and the EPSS score is less than 1%, showing a low likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog and requires local access, which limits the threat surface. Exploit code is publicly available on GitHub and may be used by local adversaries, but no known widespread incidents have been reported. The primary concern is potential information disclosure from the out‑of‑bounds read.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

strukturag

libheif

affected

Version	Status	Constraints
`1.21.0`	affected	—
`1.21.1`	affected	—
`1.21.2`	affected	—

No data.

Vendor Product Confidence Versions

Struktur

Libheif

94%

Version	Status	Scheme	Platform
`1.21.0`	affected	semver	—
`1.21.1`	affected	semver	—
`1.21.2`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the available unofficial patch from libheif PR 1721 to fix the out-of-bounds read.
If patch cannot be applied immediately, restrict execution of libheif to trusted users only.
Monitor the libheif repository for an official patch and upgrade to a fixed version when released.

Generated by OpenCVE AI on March 17, 2026 at 16:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Access Vector Local

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00017.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/Niebelungen-D/pocs/tree/main/heif_dec_sequence_chunk_idx_oob
https://github.com/strukturag/libheif/
https://github.com/strukturag/libheif/issues/1715
https://github.com/strukturag/libheif/pull/1721
https://nvd.nist.gov/vuln/detail/CVE-2026-3950
https://vuldb.com/?ctiid.350382
https://vuldb.com/?id.350382
https://vuldb.com/?submit.766431
https://www.cve.org/CVERecord?id=CVE-2026-3950

History

Fri, 13 Mar 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2026-3950 https://www.cve.org/CVERecord?id=CVE-2026-3950
Metrics	threat_severity `None`	threat_severity `Low`

Thu, 12 Mar 2026 10:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Struktur Struktur libheif
Vendors & Products		Struktur Struktur libheif

Wed, 11 Mar 2026 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 11 Mar 2026 19:30:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was identified in strukturag libheif up to 1.21.2. This impacts the function Track::load of the file libheif/sequences/track.cc of the component stsz/stts. The manipulation leads to out-of-bounds read. The attack needs to be performed locally. The exploit is publicly available and might be used. Applying a patch is the recommended action to fix this issue. The patch available is inofficial and not approved yet.
Title		strukturag libheif stsz/stts track.cc load out-of-bounds
Weaknesses		CWE-119 CWE-125
References		https://github.com/Niebelungen-D/pocs/tree/main/heif_dec_sequence_chunk_idx_oob https://github.com/strukturag/libheif/ https://github.com/strukturag/libheif/issues/1715 https://github.com/strukturag/libheif/pull/1721 https://vuldb.com/?ctiid.350382 https://vuldb.com/?id.350382 https://vuldb.com/?submit.766431
Metrics		cvssV2_0 `{'score': 1.7, 'vector': 'AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C'}` cvssV3_0 `{'score': 3.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}` cvssV3_1 `{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}` cvssV4_0 `{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Struktur Libheif

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-03-11T19:02:08.446Z

Updated: 2026-03-11T20:24:59.822Z

Reserved: 2026-03-11T12:02:54.833Z

Link: CVE-2026-3950

Vulnrichment

Updated: 2026-03-11T20:24:48.393Z

NVD

Status : Awaiting Analysis

Published: 2026-03-11T20:16:22.567

Modified: 2026-03-12T21:08:22.643

Link: CVE-2026-3950

Redhat

Severity : Low

Publid Date: 2026-03-11T19:02:08Z

Links: CVE-2026-3950 - Bugzilla

OpenCVE Enrichment

Updated: 2026-03-20T15:29:25Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Access Vector Local

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object