Low severity3.3NVD Advisory· Published Mar 11, 2026· Updated Apr 29, 2026
CVE-2026-3949
CVE-2026-3949
Description
A vulnerability was determined in strukturag libheif up to 1.21.2. This affects the function vvdec_push_data2 of the file libheif/plugins/decoder_vvdec.cc of the component HEIF File Parser. Executing a manipulation of the argument size can lead to out-of-bounds read. The attack needs to be launched locally. The exploit has been publicly disclosed and may be utilized. This patch is called b97c8b5f198b27f375127cd597a35f2113544d03. It is advisable to implement a patch to correct this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
6(expand)+ 1 more
- (no CPE)
- (no CPE)range: <=1.21.2
- osv-coords4 versionspkg:rpm/opensuse/libheif&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/libheif&distro=openSUSE%20Tumbleweedpkg:rpm/suse/libheif&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/libheif&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0
< 1.23.0-160000.1.1+ 3 more
- (no CPE)range: < 1.23.0-160000.1.1
- (no CPE)range: < 1.21.2-2.1
- (no CPE)range: < 1.23.0-160000.1.1
- (no CPE)range: < 1.23.0-160000.1.1
Patches
Vulnerability mechanics
References
7News mentions
0No linked articles in our index yet.