{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3950", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-03-11T12:02:54.833Z", "datePublished": "2026-03-11T19:02:08.446Z", "dateUpdated": "2026-03-11T20:24:59.822Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-11T19:02:08.446Z"}, "title": "strukturag libheif stsz/stts track.cc load out-of-bounds", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-125", "lang": "en", "description": "Out-of-Bounds Read"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-119", "lang": "en", "description": "Memory Corruption"}]}], "affected": [{"vendor": "strukturag", "product": "libheif", "versions": [{"version": "1.21.0", "status": "affected"}, {"version": "1.21.1", "status": "affected"}, {"version": "1.21.2", "status": "affected"}], "modules": ["stsz/stts"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in strukturag libheif up to 1.21.2. This impacts the function Track::load of the file libheif/sequences/track.cc of the component stsz/stts. The manipulation leads to out-of-bounds read. The attack needs to be performed locally. The exploit is publicly available and might be used. Applying a patch is the recommended action to fix this issue. The patch available is inofficial and not approved yet."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.3, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.3, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 1.7, "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C"}}], "timeline": [{"time": "2026-03-11T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-03-11T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-03-11T13:08:05.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Niebelungen (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.350382", "name": "VDB-350382 | strukturag libheif stsz/stts track.cc load out-of-bounds", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.350382", "name": "VDB-350382 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.766431", "name": "Submit #766431 | strukturag libheif 1.21.2 Out-of-Bounds Read", "tags": ["third-party-advisory"]}, {"url": "https://github.com/strukturag/libheif/issues/1715", "tags": ["issue-tracking"]}, {"url": "https://github.com/Niebelungen-D/pocs/tree/main/heif_dec_sequence_chunk_idx_oob", "tags": ["exploit"]}, {"url": "https://github.com/strukturag/libheif/pull/1721", "tags": ["issue-tracking", "patch"]}, {"url": "https://github.com/strukturag/libheif/", "tags": ["product"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-11T20:24:45.324812Z", "id": "CVE-2026-3950", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T20:24:59.822Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3950", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-11T20:24:45.324812Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T20:24:48.393Z"}}], "cna": {"title": "strukturag libheif stsz/stts track.cc load out-of-bounds", "credits": [{"lang": "en", "type": "reporter", "value": "Niebelungen (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.3, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.3, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 1.7, "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C"}}], "affected": [{"vendor": "strukturag", "modules": ["stsz/stts"], "product": "libheif", "versions": [{"status": "affected", "version": "1.21.0"}, {"status": "affected", "version": "1.21.1"}, {"status": "affected", "version": "1.21.2"}]}], "timeline": [{"lang": "en", "time": "2026-03-11T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-03-11T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-03-11T13:08:05.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.350382", "name": "VDB-350382 | strukturag libheif stsz/stts track.cc load out-of-bounds", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.350382", "name": "VDB-350382 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.766431", "name": "Submit #766431 | strukturag libheif 1.21.2 Out-of-Bounds Read", "tags": ["third-party-advisory"]}, {"url": "https://github.com/strukturag/libheif/issues/1715", "tags": ["issue-tracking"]}, {"url": "https://github.com/Niebelungen-D/pocs/tree/main/heif_dec_sequence_chunk_idx_oob", "tags": ["exploit"]}, {"url": "https://github.com/strukturag/libheif/pull/1721", "tags": ["issue-tracking", "patch"]}, {"url": "https://github.com/strukturag/libheif/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in strukturag libheif up to 1.21.2. This impacts the function Track::load of the file libheif/sequences/track.cc of the component stsz/stts. The manipulation leads to out-of-bounds read. The attack needs to be performed locally. The exploit is publicly available and might be used. Applying a patch is the recommended action to fix this issue. The patch available is inofficial and not approved yet."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "Out-of-Bounds Read"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-119", "description": "Memory Corruption"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-11T19:02:08.446Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3950", "state": "PUBLISHED", "dateUpdated": "2026-03-11T20:24:59.822Z", "dateReserved": "2026-03-11T12:02:54.833Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-03-11T19:02:08.446Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in strukturag libheif up to 1.21.2. This impacts the function Track::load of the file libheif/sequences/track.cc of the component stsz/stts. The manipulation leads to out-of-bounds read. The attack needs to be performed locally. The exploit is publicly available and might be used. Applying a patch is the recommended action to fix this issue. The patch available is inofficial and not approved yet."}, {"lang": "es", "value": "Una vulnerabilidad fue identificada en strukturag libheif hasta la versi\u00f3n 1.21.2. Esto afecta a la funci\u00f3n Track::load del archivo libheif/sequences/track.cc del componente stsz/stts. La manipulaci\u00f3n conduce a una lectura fuera de l\u00edmites. El ataque debe realizarse localmente. El exploit est\u00e1 disponible p\u00fablicamente y podr\u00eda ser utilizado. Aplicar un parche es la acci\u00f3n recomendada para solucionar este problema. El parche disponible es no oficial y a\u00fan no ha sido aprobado."}], "id": "CVE-2026-3950", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 1.7, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 3.1, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 1.9, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-03-11T20:16:22.567", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/Niebelungen-D/pocs/tree/main/heif_dec_sequence_chunk_idx_oob"}, {"source": "cna@vuldb.com", "url": "https://github.com/strukturag/libheif/"}, {"source": "cna@vuldb.com", "url": "https://github.com/strukturag/libheif/issues/1715"}, {"source": "cna@vuldb.com", "url": "https://github.com/strukturag/libheif/pull/1721"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.350382"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.350382"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.766431"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-125"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{"bugzilla": {"description": "libheif: libheif: Denial of Service via out-of-bounds read in Track::load function", "id": "2446751", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2446751"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.3", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-125", "details": ["A flaw was found in libheif. A local attacker could exploit an out-of-bounds read vulnerability in the `Track::load` function within the `stsz/stts` component. This manipulation could lead to a Denial of Service (DoS), making the affected system or application unavailable."], "name": "CVE-2026-3950", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "glycin-loaders", "product_name": "Red Hat Enterprise Linux 10"}], "public_date": "2026-03-11T19:02:08Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-3950\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-3950\nhttps://github.com/Niebelungen-D/pocs/tree/main/heif_dec_sequence_chunk_idx_oob\nhttps://github.com/strukturag/libheif/\nhttps://github.com/strukturag/libheif/issues/1715\nhttps://github.com/strukturag/libheif/pull/1721\nhttps://vuldb.com/?ctiid.350382\nhttps://vuldb.com/?id.350382\nhttps://vuldb.com/?submit.766431"], "threat_severity": "Low"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.21.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.21.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.21.2"}}], "enrichment": {"confidence": 94.0, "confidence_source": "matching", "scores": [{"score": 94.0, "source": "matching"}]}, "original": {"product": "libheif", "source": "cna", "vendor": "strukturag"}, "product": "libheif", "vendor": "struktur"}], "analysis": {"en": {"generated_at": "2026-03-17T16:29:28.134541+00:00", "value": {"mitigation_remediation": ["Apply the available unofficial patch from libheif PR 1721 to fix the out-of-bounds read.", "If patch cannot be applied immediately, restrict execution of libheif to trusted users only.", "Monitor the libheif repository for an official patch and upgrade to a fixed version when released."], "summary": {"action": "Apply Patch", "impact": "Out-of-bounds read (potential information disclosure)"}, "threat_synthesis": {"affected_systems": "The affected product is strukturag:libheif up to version 1.21.2. The bug resides in the stsz/stts track loader of the library, and any installation of libheif in this version range is vulnerable.", "description_and_impact": "A vulnerability was discovered in libheif versions up to 1.21.2 that allows a local attacker to supply a specially crafted HEIF file that triggers an out-of-bounds read in the Track::load function of libheif/sequences/track.cc. The exploitation can expose memory contents or cause a crash, which may lead to information disclosure. The weakness corresponds to CWE-119 and CWE-125.", "risk_and_exploitability": "The CVSS score is 4.8, indicating a low\u2011severity risk, and the EPSS score is less than 1%, showing a low likelihood of exploitation. The vulnerability is not listed in CISA\u2019s KEV catalog and requires local access, which limits the threat surface. Exploit code is publicly available on GitHub and may be used by local adversaries, but no known widespread incidents have been reported. The primary concern is potential information disclosure from the out\u2011of\u2011bounds read."}}}}, "created": "2026-03-12T09:56:50.545030+00:00", "updated": "2026-03-20T15:29:25.391869+00:00", "vendors": ["struktur", "struktur$PRODUCT$libheif"]}