CVE-2026-3949 | strukturag libheif up to 1.21.2 HEIF File Parser decoder_vvdec.cc vvdec_push_data2 size out-of-bounds (Issue 1712 / EUVD-2026-11300)
A vulnerability, which was classified as problematic, was found in strukturag libheif up to 1.21.2. This affects the function vvdec_push_data2 of the file libheif/plugins/decoder_vvdec.cc of the component HEIF File Parser. Executing a manipulation of the argument size can lead to out-of-bounds read.
This vulnerability is registered as CVE-2026-3949. The attack needs to be launched locally. Furthermore, an exploit is available.
It is advisable to implement a patch to correct this issue.