Description
A vulnerability was identified in strukturag libheif up to 1.21.2. This impacts the function Track::load of the file libheif/sequences/track.cc of the component stsz/stts. The manipulation leads to out-of-bounds read. The attack needs to be performed locally. The exploit is publicly available and might be used. Applying a patch is the recommended action to fix this issue. The patch available is inofficial and not approved yet.
References (7)
Core 7
Core References
Various Sources product
https://github.com/strukturag/libheif/
Permissions Required, VDB Entry vdb-entry
technical-description
https://vuldb.com/?id.350382
Permissions Required, VDB Entry signature
permissions-required
https://vuldb.com/?ctiid.350382
Permissions Required, VDB Entry third-party-advisory
https://vuldb.com/?submit.766431
Issue Tracking issue-tracking
https://github.com/strukturag/libheif/issues/1715
Exploit, Third Party Advisory exploit
https://github.com/Niebelungen-D/pocs/tree/main/heif_dec_sequence_chunk_idx_oob
Issue Tracking issue-tracking
patch
https://github.com/strukturag/libheif/pull/1721
Scores
CVSS v3
3.3
EPSS
0.0012
EPSS Percentile
2.0%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-119
CWE-125
Status
published
Published
Mar 11, 2026
Tracked Since
Mar 12, 2026