Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 538
Alerts This Week
Warning Icon 1 538

Ubuntu 26.04 LTS libheif Major Denial of Service Vulnerabilities USN-8526-1

ubuntu
Calendar Grey July 9, 2026
Dist Ubuntu Esm H88
Several security issues affecting libheif on Ubuntu 26.04 LTS and 25.10 have been addressed. Update recommended.
Several security issues were fixed in libheif.

Summary

Several security issues were fixed in libheif.

Software Description:

- libheif: An ISO/IEC 23008-12:2017 HEIF and AVIF file format decoder and encoder

Details:

Xianrui Dong discovered that libheif had an out-of-bounds read in its

HEIF sequence track parser. An attacker could possibly use this issue

to cause a denial of service or obtain sensitive information. This issue

only affected Ubuntu 26.04 LTS. (CVE-2026-47254)

Junyi Liu discovered that libheif had a null pointer dereference in its

image tiling interface. An attacker could possibly use this issue to

cause a denial of service. (CVE-2026-47709)

Calvin Young and Enoch Chow discovered that libheif had an integer

overflow in its inline mask size calculation. An attacker could

possibly use this issue to cause a denial of service or obtain sensitive

information. (CVE-2026-47714)

Ariel Koren discovered that libheif had an integer underflow in its

grid image tile coordinate transform. An attacker could possibly use

this issue t...

Read the Full Advisory

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 26.04 LTS
  heif-gdk-pixbuf                 1.21.2-3ubuntu0.3
  heif-thumbnailer                1.21.2-3ubuntu0.3
  heif-view                       1.21.2-3ubuntu0.3
  libheif-dev                     1.21.2-3ubuntu0.3
  libheif-examples                1.21.2-3ubuntu0.3
  libheif-plugin-aomdec           1.21.2-3ubuntu0.3
  libheif-plugin-aomenc           1.21.2-3ubuntu0.3
  libheif-plugin-dav1d            1.21.2-3ubuntu0.3
  libheif-plugin-ffmpegdec        1.21.2-3ubuntu0.3
  libheif-plugin-j2kdec           1.21.2-3ubuntu0.3
  libheif-plugin-j2kenc           1.21.2-3ubuntu0.3
  libheif-plugin-jpegdec          1.21.2-3ubuntu0.3
  libheif-plugin-jpegenc          1.21.2-3ubuntu0.3
  libheif-plugin-kvazaar          1.21.2-3ubuntu0.3
  libheif-plugin-libde265         1.21.2-3ubuntu0.3
  libheif-plugin-rav1e            1.21.2-3ubuntu0.3
  libheif-plugin-svtenc           1.21.2-3ubuntu0.3
  libheif-plugin-x265             1.21.2-3ubuntu0.3
  libheif-plugins-all             1.21.2-3ubuntu0.3
  libheif1                        1.21.2-3ubuntu0.3

Ubuntu 25.10
  heif-gdk-pixbuf                 1.20.2-1ubuntu0.6
  heif-thumbnailer                1.20.2-1ubuntu0.6
  heif-view                       1.20.2-1ubuntu0.6
  libheif-dev                     1.20.2-1ubuntu0.6
  libheif-examples                1.20.2-1ubuntu0.6
  libheif-plugin-aomdec           1.20.2-1ubuntu0.6
  libheif-plugin-aomenc           1.20.2-1ubuntu0.6
  libheif-plugin-dav1d            1.20.2-1ubuntu0.6
  libheif-plugin-ffmpegdec        1.20.2-1ubuntu0.6
  libheif-plugin-j2kdec           1.20.2-1ubuntu0.6
  libheif-plugin-j2kenc           1.20.2-1ubuntu0.6
  libheif-plugin-jpegdec          1.20.2-1ubuntu0.6
  libheif-plugin-jpegenc          1.20.2-1ubuntu0.6
  libheif-plugin-kvazaar          1.20.2-1ubuntu0.6
  libheif-plugin-libde265         1.20.2-1ubuntu0.6
  libheif-plugin-rav1e            1.20.2-1ubuntu0.6
  libheif-plugin-svtenc           1.20.2-1ubuntu0.6
  libheif-plugin-x265             1.20.2-1ubuntu0.6
  libheif-plugins-all             1.20.2-1ubuntu0.6
  libheif1                        1.20.2-1ubuntu0.6

In general, a standard system update will make all the necessary
changes.

References

https://ubuntu.com/security/notices/USN-8526-1

CVE-2026-47254, CVE-2026-47709, CVE-2026-47714, CVE-2026-48029,

CVE-2026-50142

Severity
important
Lowest
Low
Medium
High
Critical

Ubuntu Security Notice USN-8526-1

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.