CVE-2026-3950 MEDIUM

CVE-2026-3950: strukturag libheif stsz/stts track.cc load out-of-bounds

Vendor Strukturag
Product libheif
Weakness CWE-125
Published March 11, 2026
Last update March 11, 2026

CVSS base score

4.8/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

A vulnerability was identified in strukturag libheif up to 1.21.2. This impacts the function Track::load of the file libheif/sequences/track.cc of the component stsz/stts. The manipulation leads to out-of-bounds read. The attack needs to be performed locally. The exploit is publicly available and might be used. Applying a patch is the recommended action to fix this issue. The patch available is inofficial and not approved yet.

Key dates

02Disclosure timeline

March 11, 2026 CVE published
March 11, 2026 Record updated