{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3949", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-03-11T11:59:39.639Z", "datePublished": "2026-03-11T18:32:09.358Z", "dateUpdated": "2026-03-11T19:38:00.870Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-11T18:32:09.358Z"}, "title": "strukturag libheif HEIF File decoder_vvdec.cc vvdec_push_data2 out-of-bounds", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-125", "lang": "en", "description": "Out-of-Bounds Read"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-119", "lang": "en", "description": "Memory Corruption"}]}], "affected": [{"vendor": "strukturag", "product": "libheif", "versions": [{"version": "1.21.0", "status": "affected"}, {"version": "1.21.1", "status": "affected"}, {"version": "1.21.2", "status": "affected"}], "modules": ["HEIF File Parser"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in strukturag libheif up to 1.21.2. This affects the function vvdec_push_data2 of the file libheif/plugins/decoder_vvdec.cc of the component HEIF File Parser. Executing a manipulation of the argument size can lead to out-of-bounds read. The attack needs to be launched locally. The exploit has been publicly disclosed and may be utilized. This patch is called b97c8b5f198b27f375127cd597a35f2113544d03. It is advisable to implement a patch to correct this issue."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.3, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.3, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 1.7, "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C"}}], "timeline": [{"time": "2026-03-11T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-03-11T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-03-11T13:04:43.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "biniam (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.350381", "name": "VDB-350381 | strukturag libheif HEIF File decoder_vvdec.cc vvdec_push_data2 out-of-bounds", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.350381", "name": "VDB-350381 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.765979", "name": "Submit #765979 | strukturag libheif 1.21.2 Out-of-Bounds Read", "tags": ["third-party-advisory"]}, {"url": "https://github.com/strukturag/libheif/issues/1712", "tags": ["issue-tracking"]}, {"url": "https://github.com/strukturag/libheif/issues/1712#issuecomment-3947938531", "tags": ["issue-tracking"]}, {"url": "https://github.com/biniamf/pocs/tree/main/libheif_vvdec", "tags": ["exploit"]}, {"url": "https://github.com/strukturag/libheif/commit/b97c8b5f198b27f375127cd597a35f2113544d03", "tags": ["patch"]}, {"url": "https://github.com/strukturag/libheif/", "tags": ["product"]}], "tags": ["x_open-source"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-11T19:37:14.390113Z", "id": "CVE-2026-3949", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T19:38:00.870Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3949", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-11T19:37:14.390113Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T19:37:53.692Z"}}], "cna": {"tags": ["x_open-source"], "title": "strukturag libheif HEIF File decoder_vvdec.cc vvdec_push_data2 out-of-bounds", "credits": [{"lang": "en", "type": "reporter", "value": "biniam (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.3, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.3, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 1.7, "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C"}}], "affected": [{"vendor": "strukturag", "modules": ["HEIF File Parser"], "product": "libheif", "versions": [{"status": "affected", "version": "1.21.0"}, {"status": "affected", "version": "1.21.1"}, {"status": "affected", "version": "1.21.2"}]}], "timeline": [{"lang": "en", "time": "2026-03-11T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-03-11T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-03-11T13:04:43.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.350381", "name": "VDB-350381 | strukturag libheif HEIF File decoder_vvdec.cc vvdec_push_data2 out-of-bounds", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.350381", "name": "VDB-350381 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.765979", "name": "Submit #765979 | strukturag libheif 1.21.2 Out-of-Bounds Read", "tags": ["third-party-advisory"]}, {"url": "https://github.com/strukturag/libheif/issues/1712", "tags": ["issue-tracking"]}, {"url": "https://github.com/strukturag/libheif/issues/1712#issuecomment-3947938531", "tags": ["issue-tracking"]}, {"url": "https://github.com/biniamf/pocs/tree/main/libheif_vvdec", "tags": ["exploit"]}, {"url": "https://github.com/strukturag/libheif/commit/b97c8b5f198b27f375127cd597a35f2113544d03", "tags": ["patch"]}, {"url": "https://github.com/strukturag/libheif/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in strukturag libheif up to 1.21.2. This affects the function vvdec_push_data2 of the file libheif/plugins/decoder_vvdec.cc of the component HEIF File Parser. Executing a manipulation of the argument size can lead to out-of-bounds read. The attack needs to be launched locally. The exploit has been publicly disclosed and may be utilized. This patch is called b97c8b5f198b27f375127cd597a35f2113544d03. It is advisable to implement a patch to correct this issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "Out-of-Bounds Read"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-119", "description": "Memory Corruption"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-11T18:32:09.358Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3949", "state": "PUBLISHED", "dateUpdated": "2026-03-11T19:38:00.870Z", "dateReserved": "2026-03-11T11:59:39.639Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-03-11T18:32:09.358Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in strukturag libheif up to 1.21.2. This affects the function vvdec_push_data2 of the file libheif/plugins/decoder_vvdec.cc of the component HEIF File Parser. Executing a manipulation of the argument size can lead to out-of-bounds read. The attack needs to be launched locally. The exploit has been publicly disclosed and may be utilized. This patch is called b97c8b5f198b27f375127cd597a35f2113544d03. It is advisable to implement a patch to correct this issue."}, {"lang": "es", "value": "Se determin\u00f3 una vulnerabilidad en strukturag libheif hasta la versi\u00f3n 1.21.2. Esto afecta a la funci\u00f3n vvdec_push_data2 del archivo libheif/plugins/decoder_vvdec.cc del componente HEIF File Parser. Ejecutar una manipulaci\u00f3n del argumento size puede llevar a una lectura fuera de l\u00edmites. El ataque debe lanzarse localmente. El exploit ha sido divulgado p\u00fablicamente y puede ser utilizado. Este parche se llama b97c8b5f198b27f375127cd597a35f2113544d03. Es aconsejable implementar un parche para corregir este problema."}], "id": "CVE-2026-3949", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 1.7, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 3.1, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 1.9, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-03-11T19:16:05.297", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/biniamf/pocs/tree/main/libheif_vvdec"}, {"source": "cna@vuldb.com", "url": "https://github.com/strukturag/libheif/"}, {"source": "cna@vuldb.com", "url": "https://github.com/strukturag/libheif/commit/b97c8b5f198b27f375127cd597a35f2113544d03"}, {"source": "cna@vuldb.com", "url": "https://github.com/strukturag/libheif/issues/1712"}, {"source": "cna@vuldb.com", "url": "https://github.com/strukturag/libheif/issues/1712#issuecomment-3947938531"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.350381"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.350381"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.765979"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-125"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{"bugzilla": {"description": "libheif: libheif: Out-of-bounds read via local argument manipulation", "id": "2446725", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2446725"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.3", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-805", "details": ["A flaw was found in libheif. This vulnerability allows a local attacker to trigger an out-of-bounds read by manipulating the size argument in the `vvdec_push_data2` function. This could lead to a denial of service (DoS)."], "name": "CVE-2026-3949", "public_date": "2026-03-11T18:32:09Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-3949\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-3949\nhttps://github.com/biniamf/pocs/tree/main/libheif_vvdec\nhttps://github.com/strukturag/libheif/\nhttps://github.com/strukturag/libheif/commit/b97c8b5f198b27f375127cd597a35f2113544d03\nhttps://github.com/strukturag/libheif/issues/1712\nhttps://github.com/strukturag/libheif/issues/1712#issuecomment-3947938531\nhttps://vuldb.com/?ctiid.350381\nhttps://vuldb.com/?id.350381\nhttps://vuldb.com/?submit.765979"], "statement": "This is a LOW impact vulnerability in libheif affecting Red Hat Community Projects. A local attacker can trigger an out-of-bounds read by manipulating arguments to the `vvdec_push_data2` function, potentially leading to a denial of service. Exploitation requires local access to the system.", "threat_severity": "Low"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.21.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.21.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.21.2"}}], "enrichment": {"confidence": 94.0, "confidence_source": "matching", "scores": [{"score": 94.0, "source": "matching"}]}, "original": {"product": "libheif", "source": "cna", "vendor": "strukturag"}, "product": "libheif", "vendor": "struktur"}], "analysis": {"en": {"generated_at": "2026-03-17T16:30:01.924008+00:00", "value": {"mitigation_remediation": ["Apply the latest patch (commit b97c8b5f198b27f375127cd597a35f2113544d03) to libheif to correct the vvdec_push_data2 out-of-bounds read.", "Upgrade libheif to version 1.21.3 or later if available.", "Ensure that HEIF files are only processed from trusted sources or isolated in a sandboxed environment."], "summary": {"action": "Apply Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "This flaw exists in strukturag libheif versions up to 1.21.2, affecting the decoder_vvdec.cc source file. The vulnerable code path resides in the HEIF File Parser plugin. Systems running any of these versions that accept HEIF images from untrusted sources are susceptible.", "description_and_impact": "The vulnerability is an out\u2011of\u2011bounds read in the vvdec_push_data2 function of the HEIF File Parser component in libheif. An attacker manipulating the size argument can cause the function to read memory beyond the intended bounds, potentially exposing sensitive data. The weakness is categorized as CWE\u2011119, CWE\u2011125, and CWE\u2011805. No code execution or denial of service is reported; the primary impact is information disclosure when the library processes a crafted HEIF file.", "risk_and_exploitability": "The CVSS score is 4.8, indicating moderate severity, while the EPSS score is below 1\u202f%, suggesting a low probability of widespread exploitation. The vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires local execution; the attacker must run code on the target system or supply a malicious HEIF file that the local user or application processes. Public proof\u2011of\u2011concepts exist on GitHub, confirming that the flaw can be exercised in practice. Although the risk is limited to environments that process untrusted HEIF files locally, the impact of information leakage warrants prompt remediation."}}}}, "created": "2026-03-12T09:56:59.032179+00:00", "updated": "2026-03-20T15:29:34.117359+00:00", "vendors": ["struktur", "struktur$PRODUCT$libheif"]}