EUVD-2026-11344

🗓️ 11 Mar 2026 21:31:03Reported by EUVDType

A local out-of-bounds read in libheif Track::load up to 1.21.2; unofficial patch available.

Reporter	Title	Published	Views	Family All 24
ATTACKERKB	CVE-2026-3950	11 Mar 202619:02	–	attackerkb
Circl	CVE-2026-3950	11 Mar 202619:16	–	circl
CNNVD	libheif 缓冲区错误漏洞	11 Mar 202600:00	–	cnnvd
CVE	CVE-2026-3950	11 Mar 202619:02	–	cve
Cvelist	CVE-2026-3950 strukturag libheif stsz/stts track.cc load out-of-bounds	11 Mar 202619:02	–	cvelist
Debian CVE	CVE-2026-3950	11 Mar 202619:02	–	debiancve
NVD	CVE-2026-3950	11 Mar 202620:16	–	nvd
OPENSUSE Linux	gdk-pixbuf-loader-libheif-1.22.2-1.1 on GA media (moderate)	29 May 202600:00	–	opensuse
OSV	DEBIAN-CVE-2026-3950	11 Mar 202620:16	–	osv
OSV	ECHO-D166-5C0F-238B	13 Mar 202604:09	–	osv

[
  {
    "enisaIdVendor": [
      {
        "id": "c7cf791e-8dc9-370c-b255-db37d03128fc",
        "vendor": {
          "name": "strukturag"
        }
      }
    ],
    "enisaIdProduct": [
      {
        "id": "6a929d9a-c5a0-3523-89e6-e77786617dd9",
        "product": {
          "name": "libheif"
        },
        "product_version": "1.21.2"
      },
      {
        "id": "e09fef1e-a63e-3cd0-8932-21635e2a048a",
        "product": {
          "name": "libheif"
        },
        "product_version": "1.21.0"
      },
      {
        "id": "f59c34e8-1ef3-3745-94be-07e69fe2c07a",
        "product": {
          "name": "libheif"
        },
        "product_version": "1.21.1"
      }
    ]
  }
]

Source	Link
vuldb	www.vuldb.com/
vuldb	www.vuldb.com/
vuldb	www.vuldb.com/
github	www.github.com/strukturag/libheif/issues/1715
github	www.github.com/Niebelungen-D/pocs/tree/main/heif_dec_sequence_chunk_idx_oob
github	www.github.com/strukturag/libheif/pull/1721
github	www.github.com/strukturag/libheif/
nvd	www.nvd.nist.gov/vuln/detail/CVE-2026-3950

11 Mar 2026 21:31Current

5.2Medium risk

Vulners AI Score5.2

CVSS 44.8

CVSS 21.7

CVSS 3.13.3

CVSS 33.3

EPSS0.00019

SSVC