CVE-2026-3949 | strukturag libheif up to 1.21.2 HEIF File Parser decoder_vvdec.cc vvdec_push_data2 size out-of-bounds (Issue 1712)

A vulnerability, which was classified as problematic, was found in strukturag libheif up to 1.21.2. This affects the function vvdec_push_data2 of the file libheif/plugins/decoder_vvdec.cc of the component HEIF File Parser. Executing a manipulation of the argument size can lead to out-of-bounds read.

This vulnerability is registered as CVE-2026-3949. The attack needs to be launched locally. Furthermore, an exploit is available.

It is advisable to implement a patch to correct this issue.

CVE-2026-3949 | strukturag libheif up to 1.21.2 HEIF File Parser decoder_vvdec.cc vvdec_push_data2 size out-of-bounds (Issue 1712)

Post correlati

CVE-2025-20933 | Samsung Notes up to 4.4.21.62 BMP Image Parser out-of-bounds

CVE-2024-50969 | code-projects Jonnys Liquor 1.0 Parameter browse.php search cross site scripting

CVE-2023-47691 | Podlove Web Player Plugin up to 5.7.3 on WordPress authorization

CVE-2026-20675 | Apple macOS/watchOS/visionOS/iOS/iPadOS/tvOS up to 26.2 Image Parser memory corruption