Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-3950 is a vulnerability in the strukturag libheif library (up to version 1.21.2) that causes an out-of-bounds read during the decoding of HEIF image sequences. The issue arises because the library does not properly validate the consistency between three key data structures in HEIF files: the 'stsc' (Sample To Chunk) box, and the 'stsz' (Sample Size) and 'stts' (Decoding Time to Sample) boxes."}, {'type': 'paragraph', 'content': "Specifically, the 'stsc' box may cover fewer samples than declared by 'stsz' and 'stts'. The Track::load function checks for overflow but does not ensure that the total samples covered by 'stsc' exactly match those declared by 'stsz' and 'stts'. This allows malformed input to proceed."}, {'type': 'paragraph', 'content': 'Later, during decoding, an invalid chunk index is computed and used without bounds checking, leading to a heap-buffer-overflow read. This memory corruption can cause crashes or other unintended behavior when processing crafted HEIF files.'}] [1, 4, 5]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by causing a denial of service (DoS) condition. When a crafted HEIF file with malformed sample tables is processed by vulnerable versions of libheif, it can trigger a heap-buffer-overflow read, leading to application crashes.

The attack requires local access and is considered easy to exploit, with publicly available proof-of-concept exploits. This means an attacker with local access could cause the software using libheif to crash or behave unpredictably.

While the vulnerability does not directly lead to data disclosure or privilege escalation, the resulting instability and crashes can affect the availability of the software or system components relying on libheif.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by attempting to decode crafted HEIF files that contain malformed sample tables where the 'stsc' box does not fully cover the samples declared by the 'stsz' and 'stts' boxes. The issue manifests as a heap-buffer-overflow during decoding."}, {'type': 'paragraph', 'content': "Specifically, using libheif command-line tools such as 'heif-dec -S' or 'heif-view' with a specially crafted HEIF file (e.g., seq_stsc_underflow_idx_oob.heif) can trigger the vulnerability and reveal the out-of-bounds read."}, {'type': 'paragraph', 'content': 'Running these commands with AddressSanitizer (ASAN) enabled can confirm the presence of the vulnerability by reporting heap-buffer-overflow errors.'}, {'type': 'list_item', 'content': 'heif-dec -S seq_stsc_underflow_idx_oob.heif'}, {'type': 'list_item', 'content': 'heif-view seq_stsc_underflow_idx_oob.heif'}] [1, 4]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': "The recommended immediate mitigation step is to apply the available patch that validates the consistency between the 'stsc', 'stsz', and 'stts' boxes during track loading to prevent out-of-bounds reads."}, {'type': 'paragraph', 'content': 'Although the patch is currently unofficial and not yet approved, applying it can eliminate the vulnerability.'}, {'type': 'paragraph', 'content': 'Additionally, avoid processing untrusted or malformed HEIF files with vulnerable versions of libheif (up to 1.21.2) to reduce the risk of exploitation.'}] [2, 3]

Useful 0 Not Useful 0