CVE-2026-3950
Publication date 11 March 2026
Last updated 23 April 2026
Ubuntu priority
Description
A vulnerability was identified in strukturag libheif up to 1.21.2. This impacts the function Track::load of the file libheif/sequences/track.cc of the component stsz/stts. The manipulation leads to out-of-bounds read. The attack needs to be performed locally. The exploit is publicly available and might be used. Applying a patch is the recommended action to fix this issue. The patch available is inofficial and not approved yet.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| libheif | 25.10 questing |
Vulnerable
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Not affected
|
Notes
mdeslaur
as of 2026-04-21, the fix in pull 1721 has not been accepted by libheif developers, but the following two commits appear to fix a similar issue, perhaps they are the right fixes for this CVE: https://github.com/strukturag/libheif/commit/71755d3d41a117685a3274bdd1214fc50a760f20 https://github.com/strukturag/libheif/commit/f20c81745e917b4c496615140385c86d7a2fa58d need to validate with reproducer
Patch details
| Package | Patch details |
|---|---|
| libheif |
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
3.3 · Low
|
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | None |
| Availability impact | Low |
| Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L |