Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 496
Alerts This Week
Warning Icon 1 496

Stay Secure with the Latest Linux Advisories

Filter%20icon Refine advisories
X Clear Filters
X Clear Filters
View More

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Community Poll

Is continuous patching actually viable?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum {0} answer(s).
Please select maximum {0} answer(s).
/main-polls/156-is-continuous-patching-actually-viable?task=poll.vote&format=json
156
radio
0
[{"id":503,"title":"Delayed updates invite catastrophic breaches.","votes":1,"type":"x","order":1,"pct":50,"resources":[]},{"id":504,"title":"Automated fixes break production environments.","votes":1,"type":"x","order":2,"pct":50,"resources":[]},{"id":505,"title":"Manual approvals cannot keep pace.","votes":0,"type":"x","order":3,"pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
bottom 200
Loading...

Explore Latest Linux Security advisories

We found 21 articles for you...
172

Ubuntu 24.04 libheif Significant Denial of Service Patch USN-8526-2

Several security issues were fixed in libheif.. ========================================================================== Ubuntu Security Notice USN-8526-2 July 14, 2026 libheif vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.04 LTS Summary: Several security issues were fixed in libheif. Software Description: - libheif: An ISO/IEC 23008-12:2017 HEIF and AVIF file format decoder and encoder Details: USN-8526-1 fixed vulnerabilities in libheif. This update provides the corresponding updates for CVE-2026-47709 and CVE-2026-47714 in Ubuntu 24.04 LTS. Original advisory details: Junyi Liu discovered that libheif had a null pointer dereference in its image tiling interface. An attacker could possibly use this issue to cause a denial of service. (CVE-2026-47709) Calvin Young and Enoch Chow discovered that libheif had an integer overflow in its inline mask size calculation. An attacker could possibly use this issue to cause a denial of service or obtain sensitive information. (CVE-2026-47714) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS heif-gdk-pixbuf 1.17.6-1ubuntu4.6 heif-thumbnailer 1.17.6-1ubuntu4.6 libheif-dev 1.17.6-1ubuntu4.6 libheif-plugin-aomdec 1.17.6-1ubuntu4.6 libheif-plugin-aomenc 1.17.6-1ubuntu4.6 libheif-plugin-dav1d 1.17.6-1ubuntu4.6 libheif-plugin-ffmpegdec 1.17.6-1ubuntu4.6 libheif-plugin-j2kdec 1.17.6-1ubuntu4.6 libheif-plugin-j2kenc 1.17.6-1ubuntu4.6 libheif-plugin-jpegdec 1.17.6-1ubuntu4.6 libheif-plugin-jpegenc 1.17.6-1ubuntu4.6 libheif-plugin-libde265 1.17.6-1ubuntu4.6 libheif-plugin-rav1e 1.17.6-1ubuntu4.6 libheif-plugin-svtenc 1.17.6-1ubuntu4.6 libheif-plugin-x265 1.17.6-1ubuntu4.6 libheif1 1.17.6-1ubuntu4.6 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8526-2 https://ubuntu.com/security/notices/USN-8526-1 CVE-2026-47709, CVE-2026-47714 Package Information: https://launchpad.net/ubuntu/+source/libheif/1.17.6-1ubuntu4.6 . Several security issues in libheif fixed with updates for Ubuntu 24.04. Protect your systems against potential threats now.. Ubuntu patches, libheif security, application updates, Ubuntu vulnerabilities, software advisories. . Severity: Important. LinuxSecurity.com Team

Calendar%202 Jul 14, 2026 Important Ubuntu
203

Mageia libheif Important Buffer Overflow DoS Vulnerability 2026-0247

Security update. Publication date: 13 Jul 2026 URL: https://advisories.mageia.org/MGASA-2026-0247.html Type: security Affected Mageia releases: 10 CVE: CVE-2026-32738, CVE-2026-32739, CVE-2026-32740, CVE-2026-32741, CVE-2026-32814, CVE-2026-32882, CVE-2026-3950, CVE-2026-41069, CVE-2026-41071, CVE-2026-47178, CVE-2026-49271 Description: libheif has a Heap OOB Read/SEGV Crash via Zero samples_per_chunk. (CVE-2026-32738) libheif is Vulnerable to Infinite Loop DoS via stts Sample Duration Lookup. (CVE-2026-32739) Heap-Buffer-Overflow Write in Grid Tile Chroma Compositing. (CVE-2026-32740) libheif has a heap buffer overflow in decode_mask_image(). (CVE-2026-32741) Uninitialized Heap Memory Information Leak via Failed Grid Tiles. (CVE-2026-32814) Heap Buffer OOB Read in overlay compositing due to wrong alpha stride. (CVE-2026-32882) strukturag libheif stsz/stts track.cc load out-of-bounds. (CVE-2026-3950) libheif allows Out-of-bounds vector access leading to invalid dereference (DoS). (CVE-2026-41069) Heap buffer over-read in SampleAuxInfoReader via crafted HEIF sequence file with mismatched saiz sample count. (CVE-2026-41071) A critical heap-based buffer overflow vulnerability exists in libheif v1.21.2 (and likely earlier versions) within the handling of uncompressed HEIF images (ISO/IEC 23001-17, unci item type). When processing a tiled image with chroma subsampling (e.g., 4:2:0 or 4:2:2), the library fails to scale spatial offsets for the chroma planes. This leads to out-of-bounds memory writes when decoding any tile other than the top-left one, potentially resulting in remote code execution. (CVE-2026-47178) Wrapped icef compressed-unit range check causes out-of-bounds read in uncompressed HEIF decoder. (CVE-2026-49271) References: - https://bugs.mageia.org/show_bug.cgi?id=35729 - https://ubuntu.com/security/notices/USN-8454-1 - https://ubuntu.com/security/notices/USN-8479-1 - https://www.cve.org/CVERecord?id=CVE-2026-32738 -https://www.cve.org/CVERecord?id=CVE-2026-32739 - https://www.cve.org/CVERecord?id=CVE-2026-32740 - https://www.cve.org/CVERecord?id=CVE-2026-32741 - https://www.cve.org/CVERecord?id=CVE-2026-32814 - https://www.cve.org/CVERecord?id=CVE-2026-32882 - https://www.cve.org/CVERecord?id=CVE-2026-3950 - https://www.cve.org/CVERecord?id=CVE-2026-41069 - https://www.cve.org/CVERecord?id=CVE-2026-41071 - https://www.cve.org/CVERecord?id=CVE-2026-47178 - https://www.cve.org/CVERecord?id=CVE-2026-49271 SRPMS: - 10/core/libheif-1.20.2-3.1.mga10 - 10/tainted/libheif-1.20.2-3.1.mga10.tainted . libheif faces multiple security issues leading to potential remote code execution, requiring urgent updates for Mageia users.. Mageia, libheif, buffer overflow, security advisory, remote code execution. . Severity: Important. LinuxSecurity.com Team

Calendar%202 Jul 13, 2026 Important Mageia
172

Ubuntu 26.04 LTS libheif Major Denial of Service Vulnerabilities USN-8526-1

Several security issues were fixed in libheif.. ========================================================================== Ubuntu Security Notice USN-8526-1 July 09, 2026 libheif vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 26.04 LTS - Ubuntu 25.10 Summary: Several security issues were fixed in libheif. Software Description: - libheif: An ISO/IEC 23008-12:2017 HEIF and AVIF file format decoder and encoder Details: Xianrui Dong discovered that libheif had an out-of-bounds read in its HEIF sequence track parser. An attacker could possibly use this issue to cause a denial of service or obtain sensitive information. This issue only affected Ubuntu 26.04 LTS. (CVE-2026-47254) Junyi Liu discovered that libheif had a null pointer dereference in its image tiling interface. An attacker could possibly use this issue to cause a denial of service. (CVE-2026-47709) Calvin Young and Enoch Chow discovered that libheif had an integer overflow in its inline mask size calculation. An attacker could possibly use this issue to cause a denial of service or obtain sensitive information. (CVE-2026-47714) Ariel Koren discovered that libheif had an integer underflow in its grid image tile coordinate transform. An attacker could possibly use this issue to cause a denial of service or obtain sensitive information. (CVE-2026-48029) It was discovered that libheif had a missing bound check in its HEIF sequence parser, allowing unbounded heap allocation. An attacker could possibly use this issue to cause a denial of service. (CVE-2026-50142) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 26.04 LTS heif-gdk-pixbuf 1.21.2-3ubuntu0.3 heif-thumbnailer 1.21.2-3ubuntu0.3 heif-view 1.21.2-3ubuntu0.3 libheif-dev 1.21.2-3ubuntu0.3 libheif-examples 1.21.2-3ubuntu0.3 libheif-plugin-aomdec 1.21.2-3ubuntu0.3 libheif-plugin-aomenc 1.21.2-3ubuntu0.3 libheif-plugin-dav1d 1.21.2-3ubuntu0.3 libheif-plugin-ffmpegdec 1.21.2-3ubuntu0.3 libheif-plugin-j2kdec 1.21.2-3ubuntu0.3 libheif-plugin-j2kenc 1.21.2-3ubuntu0.3 libheif-plugin-jpegdec 1.21.2-3ubuntu0.3 libheif-plugin-jpegenc 1.21.2-3ubuntu0.3 libheif-plugin-kvazaar 1.21.2-3ubuntu0.3 libheif-plugin-libde265 1.21.2-3ubuntu0.3 libheif-plugin-rav1e 1.21.2-3ubuntu0.3 libheif-plugin-svtenc 1.21.2-3ubuntu0.3 libheif-plugin-x265 1.21.2-3ubuntu0.3 libheif-plugins-all 1.21.2-3ubuntu0.3 libheif1 1.21.2-3ubuntu0.3 Ubuntu 25.10 heif-gdk-pixbuf 1.20.2-1ubuntu0.6 heif-thumbnailer 1.20.2-1ubuntu0.6 heif-view 1.20.2-1ubuntu0.6 libheif-dev 1.20.2-1ubuntu0.6 libheif-examples 1.20.2-1ubuntu0.6 libheif-plugin-aomdec 1.20.2-1ubuntu0.6 libheif-plugin-aomenc 1.20.2-1ubuntu0.6 libheif-plugin-dav1d 1.20.2-1ubuntu0.6 libheif-plugin-ffmpegdec 1.20.2-1ubuntu0.6 libheif-plugin-j2kdec 1.20.2-1ubuntu0.6 libheif-plugin-j2kenc 1.20.2-1ubuntu0.6 libheif-plugin-jpegdec 1.20.2-1ubuntu0.6 libheif-plugin-jpegenc 1.20.2-1ubuntu0.6 libheif-plugin-kvazaar 1.20.2-1ubuntu0.6 libheif-plugin-libde265 1.20.2-1ubuntu0.6 libheif-plugin-rav1e 1.20.2-1ubuntu0.6 libheif-plugin-svtenc 1.20.2-1ubuntu0.6 libheif-plugin-x265 1.20.2-1ubuntu0.6 libheif-plugins-all 1.20.2-1ubuntu0.6 libheif1 1.20.2-1ubuntu0.6 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8526-1 CVE-2026-47254, CVE-2026-47709, CVE-2026-47714,CVE-2026-48029, CVE-2026-50142 Package Information: https://launchpad.net/ubuntu/+source/libheif/1.21.2-3ubuntu0.3 https://launchpad.net/ubuntu/+source/libheif/1.20.2-1ubuntu0.6 . Several security issues affecting libheif on Ubuntu 26.04 LTS and 25.10 have been addressed. Update recommended.. Ubuntu security update, libheif vulnerabilities, software security patch. . Severity: Important. LinuxSecurity.com Team

Calendar%202 Jul 09, 2026 Important Ubuntu
202

openSUSE 2026-2681-1 libheif Moderate Information Leak and Root Access

An update that solves two vulnerabilities can now be installed.. # Security update for libheif Announcement ID: SUSE-SU-2026:2681-1 Release Date: 2026-06-29T13:27:52Z Rating: moderate References: * bsc#1261658 * bsc#1265878 Cross-References: * CVE-2026-32282 * CVE-2026-32814 CVSS scores: * CVE-2026-32282 ( SUSE ): 6.3 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N * CVE-2026-32282 ( NVD ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H * CVE-2026-32282 ( NVD ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H * CVE-2026-32814 ( SUSE ): 5.7 CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N * CVE-2026-32814 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N * CVE-2026-32814 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N Affected Products: * openSUSE Leap 15.4 An update that solves two vulnerabilities can now be installed. ## Description: This update for libheif fixes the following issues * CVE-2026-32282: os: Root.Chmod can follow symlinks out of the root on Linux (bsc#1261658). * CVE-2026-32814: Uninitialized Heap Memory Information Leak via Failed Grid Tiles (bsc#1265878). ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.4 zypper in -t patch SUSE-2026-2681=1 ## Package List: * openSUSE Leap 15.4 (aarch64 i586 ppc64le s390x x86_64) * libheif-devel-1.12.0-150400.3.20.1 * libheif-debugsource-1.12.0-150400.3.20.1 * gdk-pixbuf-loader-libheif-debuginfo-1.12.0-150400.3.20.1 * libheif1-debuginfo-1.12.0-150400.3.20.1 * gdk-pixbuf-loader-libheif-1.12.0-150400.3.20.1 * libheif1-1.12.0-150400.3.20.1 * openSUSE Leap 15.4 (x86_64) * libheif1-32bit-debuginfo-1.12.0-150400.3.20.1 * libheif1-32bit-1.12.0-150400.3.20.1 * openSUSE Leap 15.4 (aarch64_ilp32) *libheif1-64bit-debuginfo-1.12.0-150400.3.20.1 * libheif1-64bit-1.12.0-150400.3.20.1 ## References: * https://www.suse.com/security/cve/CVE-2026-32282.html * https://www.suse.com/security/cve/CVE-2026-32814.html * https://bugzilla.suse.com/show_bug.cgi?id=1261658 * https://bugzilla.suse.com/show_bug.cgi?id=1265878 . # Security update for libheif Announcement ID: SUSE-SU-2026:2681-1 Release Date: 2026-06-29T13:27:52. update, solves, vulnerabilities, installed, security, libheif, announ. . Severity: moderate. LinuxSecurity.com Team

Calendar%202 Jun 29, 2026 moderate OpenSUSE
100

SUSE openSUSE Leap 15.4 libheif Moderate Info Leak Attack SUSE-2026-2681-1

An update that solves two vulnerabilities can now be installed.. # Security update for libheif Announcement ID: SUSE-SU-2026:2681-1 Release Date: 2026-06-29T13:27:52Z Rating: moderate References: * bsc#1261658 * bsc#1265878 Cross-References: * CVE-2026-32282 * CVE-2026-32814 CVSS scores: * CVE-2026-32282 ( SUSE ): 6.3 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N * CVE-2026-32282 ( NVD ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H * CVE-2026-32282 ( NVD ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H * CVE-2026-32814 ( SUSE ): 5.7 CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N * CVE-2026-32814 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N * CVE-2026-32814 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N Affected Products: * openSUSE Leap 15.4 An update that solves two vulnerabilities can now be installed. ## Description: This update for libheif fixes the following issues * CVE-2026-32282: os: Root.Chmod can follow symlinks out of the root on Linux (bsc#1261658). * CVE-2026-32814: Uninitialized Heap Memory Information Leak via Failed Grid Tiles (bsc#1265878). ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.4 zypper in -t patch SUSE-2026-2681=1 ## Package List: * openSUSE Leap 15.4 (aarch64 i586 ppc64le s390x x86_64) * libheif-devel-1.12.0-150400.3.20.1 * libheif-debugsource-1.12.0-150400.3.20.1 * gdk-pixbuf-loader-libheif-debuginfo-1.12.0-150400.3.20.1 * libheif1-debuginfo-1.12.0-150400.3.20.1 * gdk-pixbuf-loader-libheif-1.12.0-150400.3.20.1 * libheif1-1.12.0-150400.3.20.1 * openSUSE Leap 15.4 (x86_64) * libheif1-32bit-debuginfo-1.12.0-150400.3.20.1 * libheif1-32bit-1.12.0-150400.3.20.1 * openSUSE Leap 15.4 (aarch64_ilp32) *libheif1-64bit-debuginfo-1.12.0-150400.3.20.1 * libheif1-64bit-1.12.0-150400.3.20.1 ## References: * https://www.suse.com/security/cve/CVE-2026-32282.html * https://www.suse.com/security/cve/CVE-2026-32814.html * https://bugzilla.suse.com/show_bug.cgi?id=1261658 * https://bugzilla.suse.com/show_bug.cgi?id=1265878 . Update for libheif fixes two vulnerabilities including root symlink privilege escalation and a memory leak issue.. SUSE libheif vulnerabilities update information leak root symlink. . Severity: moderate. LinuxSecurity.com Team

Calendar%202 Jun 29, 2026 moderate SuSE
172

Ubuntu 26.04 LTS libheif Critical Denial of Service CVE-2026-47178

Several security issues were fixed in libheif.. ========================================================================== Ubuntu Security Notice USN-8479-1 June 29, 2026 libheif vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 26.04 LTS - Ubuntu 25.10 Summary: Several security issues were fixed in libheif. Software Description: - libheif: An ISO/IEC 23008-12:2017 HEIF and AVIF file format decoder and encoder Details: It was discovered that libheif incorrectly handled certain crafted HEIF files. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. (CVE-2026-47178) It was discovered that libheif incorrectly validated offsets when decoding certain crafted HEIF files. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 26.04 LTS. (CVE-2026-49271) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 26.04 LTS heif-gdk-pixbuf 1.21.2-3ubuntu0.2 heif-thumbnailer 1.21.2-3ubuntu0.2 heif-view 1.21.2-3ubuntu0.2 libheif-dev 1.21.2-3ubuntu0.2 libheif-plugin-aomdec 1.21.2-3ubuntu0.2 libheif-plugin-aomenc 1.21.2-3ubuntu0.2 libheif-plugin-dav1d 1.21.2-3ubuntu0.2 libheif-plugin-ffmpegdec 1.21.2-3ubuntu0.2 libheif-plugin-j2kdec 1.21.2-3ubuntu0.2 libheif-plugin-j2kenc 1.21.2-3ubuntu0.2 libheif-plugin-jpegdec 1.21.2-3ubuntu0.2 libheif-plugin-jpegenc 1.21.2-3ubuntu0.2 libheif-plugin-kvazaar 1.21.2-3ubuntu0.2 libheif-plugin-libde265 1.21.2-3ubuntu0.2 libheif-plugin-rav1e 1.21.2-3ubuntu0.2 libheif-plugin-svtenc 1.21.2-3ubuntu0.2 libheif-plugin-x265 1.21.2-3ubuntu0.2 libheif-plugins-all 1.21.2-3ubuntu0.2 libheif1 1.21.2-3ubuntu0.2 Ubuntu 25.10 heif-gdk-pixbuf 1.20.2-1ubuntu0.5 heif-thumbnailer 1.20.2-1ubuntu0.5 heif-view 1.20.2-1ubuntu0.5 libheif-dev 1.20.2-1ubuntu0.5 libheif-plugin-aomdec 1.20.2-1ubuntu0.5 libheif-plugin-aomenc 1.20.2-1ubuntu0.5 libheif-plugin-dav1d 1.20.2-1ubuntu0.5 libheif-plugin-ffmpegdec 1.20.2-1ubuntu0.5 libheif-plugin-j2kdec 1.20.2-1ubuntu0.5 libheif-plugin-j2kenc 1.20.2-1ubuntu0.5 libheif-plugin-jpegdec 1.20.2-1ubuntu0.5 libheif-plugin-jpegenc 1.20.2-1ubuntu0.5 libheif-plugin-kvazaar 1.20.2-1ubuntu0.5 libheif-plugin-libde265 1.20.2-1ubuntu0.5 libheif-plugin-rav1e 1.20.2-1ubuntu0.5 libheif-plugin-svtenc 1.20.2-1ubuntu0.5 libheif-plugin-x265 1.20.2-1ubuntu0.5 libheif-plugins-all 1.20.2-1ubuntu0.5 libheif1 1.20.2-1ubuntu0.5 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8479-1 CVE-2026-47178, CVE-2026-49271 Package Information: https://launchpad.net/ubuntu/+source/libheif/1.21.2-3ubuntu0.2 https://launchpad.net/ubuntu/+source/libheif/1.20.2-1ubuntu0.5 . Several issues fixed in libheif on Ubuntu, addressing denial of service and code execution risks.. Ubuntu libheif security patch, Denial of service vulnerability, Code execution risk, Package update Ubuntu. . Severity: Critical. LinuxSecurity.com Team

Calendar%202 Jun 29, 2026 Critical Ubuntu
100

SUSE libheif Important Heap Buffer Overflow DoS Solved 2026-2622-1

An update that solves 20 vulnerabilities and has four security fixes can now be installed.. # Security update for libheif Announcement ID: SUSE-SU-2026:2622-1 Release Date: 2026-06-24T11:55:37Z Rating: important References: * bsc#1255735 * bsc#1259544 * bsc#1265874 * bsc#1265875 * bsc#1265876 * bsc#1265877 * bsc#1265878 * bsc#1265879 * bsc#1265979 * bsc#1265980 * bsc#1265981 * bsc#1265982 * bsc#1265983 * bsc#1265987 * bsc#1265988 * bsc#1265989 * bsc#1265990 * bsc#1265992 * bsc#1265995 * bsc#1265996 * bsc#1265997 * bsc#1266281 * bsc#1266282 * bsc#1267455 Cross-References: * CVE-2025-68431 * CVE-2026-32738 * CVE-2026-32739 * CVE-2026-32740 * CVE-2026-32741 * CVE-2026-32814 * CVE-2026-32882 * CVE-2026-3949 * CVE-2026-3950 * CVE-2026-41069 * CVE-2026-41071 * CVE-2026-47178 * CVE-2026-47247 * CVE-2026-47251 * CVE-2026-47254 * CVE-2026-47709 * CVE-2026-47714 * CVE-2026-48029 * CVE-2026-49271 * CVE-2026-50142 CVSS scores: * CVE-2025-68431 ( SUSE ): 6.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2025-68431 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2025-68431 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2025-68431 ( NVD ): 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H * CVE-2026-32738 ( SUSE ): 6.0 CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-32738 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2026-32738 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2026-32738 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2026-32739 ( SUSE ): 5.7 CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-32739 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2026-32739 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2026-32740 ( SUSE ): 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N * CVE-2026-32740 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H * CVE-2026-32740 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H * CVE-2026-32741 ( SUSE ): 6.9 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N * CVE-2026-32741 ( SUSE ): 6.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H * CVE-2026-32741 ( NVD ): 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H * CVE-2026-32814 ( SUSE ): 5.7 CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N * CVE-2026-32814 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N * CVE-2026-32814 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N * CVE-2026-32882 ( SUSE ): 7.0 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-32882 ( SUSE ): 6.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H * CVE-2026-32882 ( NVD ): 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H * CVE-2026-3949 ( SUSE ): 4.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N * CVE-2026-3949 ( SUSE ): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L * CVE-2026-3949 ( NVD ): 1.9 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-3949 ( NVD ): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L * CVE-2026-3950 ( SUSE ): 4.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N * CVE-2026-3950 ( SUSE ): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L * CVE-2026-3950 ( NVD ): 1.9 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-3950 ( NVD ): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L * CVE-2026-41069 ( SUSE ): 6.9 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N *CVE-2026-41069 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2026-41069 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2026-41071 ( SUSE ): 7.0 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-41071 ( SUSE ): 6.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H * CVE-2026-41071 ( NVD ): 5.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-41071 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H * CVE-2026-47178 ( SUSE ): 8.6 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N * CVE-2026-47178 ( SUSE ): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H * CVE-2026-47247 ( SUSE ): 6.9 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N * CVE-2026-47247 ( SUSE ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N * CVE-2026-47251 ( SUSE ): 6.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-47251 ( SUSE ): 6.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H * CVE-2026-47254 ( SUSE ): 7.0 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-47254 ( SUSE ): 6.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H * CVE-2026-47709 ( SUSE ): 6.9 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-47709 ( SUSE ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-47714 ( SUSE ): 7.0 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-47714 ( SUSE ): 6.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H * CVE-2026-48029 ( SUSE ): 7.0 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-48029 ( SUSE ): 6.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H * CVE-2026-49271 ( SUSE ): 6.7 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-49271 ( SUSE ): 5.5CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2026-49271 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2026-50142 ( SUSE ): 6.9 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-50142 ( SUSE ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: * Desktop Applications Module 15-SP7 * SUSE Linux Enterprise Desktop 15 SP7 * SUSE Linux Enterprise Real Time 15 SP7 * SUSE Linux Enterprise Server 15 SP7 * SUSE Linux Enterprise Server for SAP Applications 15 SP7 * SUSE Package Hub 15 15-SP7 An update that solves 20 vulnerabilities and has four security fixes can now be installed. ## Description: This update for libheif fixes the following issues Update to 1.23.0: * CVE-2025-68431: heap buffer over-read in `HeifPixelImage: overlay()` via crafted HEIF that exercises the overlay image item (bsc#1255735). * CVE-2026-3950: manipulation of the component stsz/stts can lead to out-of- bounds read (bsc#1259544). * CVE-2026-32738: Heap OOB Read / SEGV Crash via Zero samples_per_chunk in stsc (bsc#1265874). * CVE-2026-32739: Infinite Loop DoS in stts Sample Duration Lookup (bsc#1265875). * CVE-2026-32740: Heap-Buffer-Overflow Write in Grid Tile Chroma Compositing (bsc#1265876). * CVE-2026-32741: heap buffer overflow in decode_mask_image() (bsc#1265877). * CVE-2026-32814: Uninitialized Heap Memory Information Leak via Failed Grid Tiles (bsc#1265878). * CVE-2026-32882: Heap Buffer OOB Read in overlay compositing due to wrong alpha stride (bsc#1265879). * CVE-2026-41069: Out-of-bounds vector access leading to invalid dereference (bsc#1265979). * CVE-2026-41071: Heap buffer over-read in SampleAuxInfoReader via crafted HEIF sequence file with mismatched saiz sample count (bsc#1265980). * CVE-2026-47178: Heap Out Of Bounds Write in unci subsystem (bsc#1265981). * CVE-2026-47247: Heap Information Disclosure via Grid Image Gap + Uninitialized Pixel Plane Allocation(bsc#1265982). * CVE-2026-47251: integer overflow bypass in vvdec_push_data2 (bsc#1265983). * CVE-2026-47254: Heap Buffer Overflow in `Track: get_next_sample_raw_data()` \-- OOB Chunk Vector Access (bsc#1265987). * CVE-2026-47709: NULL pointer dereference in heif_image_handle_get_image_tiling for malformed unci image missing ispe (bsc#1265988). * CVE-2026-47714: Integer overflow in inline mask size calculation causes undersized buffer allocation (bsc#1265989). * CVE-2026-48029: heap OOB read in ImageItem_Grid: decode_grid_tile via irot- induced tile-coordinate underflow (bsc#1265990). * CVE-2026-49271: Wrapped icef compressed-unit range check causes out-of- bounds read in uncompressed HEIF decoder (bsc#1266282). * CVE-2026-50142: unbounded heap allocation in HEIF sequence parser (bsc#1267455). * Heap buffer overflow via uint32_t stride overflow in image plane allocation (+ 2 additional instances) (bsc#1265997). * Incorrect byte-count initialization in BitstreamRange constructor allows container-boundary check bypass (bsc#1265995). * Integer Overflow in SampleAuxInfoReader Offset Calculation (bsc#1265992). * Out-of-bounds read and assertion-based DoS in EXIF parsing (find_exif_tag / read32) with short EXIF TIFF payload (bsc#1265996). * Out-of-bounds write in inline mask region API when source mask exceeds declared region (bsc#1266281). Changes for libheif: * version update to 1.23.0: * add API functions to read and write metadata: ambient viewing environment nominal diffuse white luminance * adds a output_image_nclx_profile_passthrough option to heif_decoding_options * CVE-2026-50142 (GHSA-jvmp-j3cw-84mh) - unbounded heap allocation in HEIF sequence parser (stsz fixed-size mode missing bound check) * version update to 1.22.2: * build issues with OpenJPEG plugin (#1813) * non-plain C in header (#1812) * CVE-2026-49271 (GHSA-r7qj-cg5r-r6vf) - Wrapped icef compressed-unit range check causes out-of-bounds read inuncompressed HEIF decoder * CVE TBD (GHSA-5hqq-636x-r3cr) - Out-of-bounds write in inline mask region API when source mask exceeds declared region * update to 1.22.0: * This is a large release with substantial new functionality, mainly focusing on generalized image formats (e.g., multi- spectral images) and a reworked implementation of ISO/IEC 23001-17 (lossless image codec). * HDR up to 64 bpp * Multi-component images with arbitrary component layouts (multi-spectral images, arbitrary non-visual data) * Filter-array (Bayer / mosaic) images, with debayering in color transformation pipeline * Metadata: chroma-sample location (cloc), sample non- uniformity (snuc), sensor bad-pixel map (sbpm), polarization pattern (splz) * heif-dec can now convert to WebP (thanks to @torusrxxx). * heif-enc can now accept input from WebP, HEIF, pure raw files (including floating point pixel data), and CMYK JPEG (converted to RGB). * TIFF input can now read many TIFF formats used in geospatial imaging, like: 16-bit, signed integers, float samples, tiled TIFFs, GeoTIFF overview images, CMYK JPEG, YCbCr-as-JPEG. TIFFs with image tiling and multi- resolution layers are now reproduced as HEIFs when converted. * PNG decoder/encoder: cICP, cLLI, and mDCV chunk support (#1697). * heif-dec: auto-correct option to fix known input errors (e.g. mismatched NCLX/VUI). * Image, Track, Sequence samples, image component GIMI content IDs * Embedding of Turtle (.ttl) metadata files; automatic parsing of GIMI content IDs from Turtle * AOM encoder plugin now auto-selects IQ tune mode * mini-box syntax updated to the current HEIF version 4 draft (thanks @bradh for the initial implementation) * unif brand (globally-unique-ID) support * OMAF (omnidirectional images): indicate ISO/IEC 23000-22 spherical/omnidirectional image projection * alpha bit-depth tracked through the color-conversion pipeline * CVE-2026-32738 (GHSA-7f2h-cmpf-v9ww) : Heap OOB Read / SEGVCrash via Zero samples_per_chunk in stsc (bsc#1265874) * CVE-2026-32739 (GHSA-j9g7-q9hv-gq8c) : Infinite Loop DoS in stts Sample Duration Lookup (bsc#1265875) * CVE-2026-32740 (GHSA-frfr-f3vg-2g6j) : Heap-Buffer-Overflow Write in Grid Tile Chroma Compositing (bsc#1265876) * CVE-2026-32741 (GHSA-j3w5-7whq-p37q) : heap buffer overflow in decode_mask_image() (bsc#1265877) * CVE-2026-32814 (GHSA-4m8r-34pg-rvwc) : Uninitialized Heap Memory Information Leak via Failed Grid Tiles (bsc#1265878) * CVE-2026-32882 (GHSA-hg7q-rjr2-8x46) : Heap Buffer OOB Read in overlay compositing due to wrong alpha stride (bsc#1265879) * CVE-2026-41069 (GHSA-p82x-fpmv-576r) : Out-of-bounds vector access leading to invalid dereference (bsc#1265979) * CVE-2026-41071 (GHSA-xj92-xjff-h8w3) : Heap buffer over-read in SampleAuxInfoReader via crafted HEIF sequence file with mismatched saiz sample count (bsc#1265980) * CVE-2026-47178 (GHSA-5x55-x5pf-9c6g) : Heap Out Of Bounds Write in unci subsystem (bsc#1265981) * CVE-2026-47247 (GHSA-2vh6-whr3-cmq3) : Heap Information Disclosure via Grid Image Gap + Uninitialized Pixel Plane Allocation (bsc#1265982) * CVE-2026-47251 (GHSA-p6q9-fhf2-vj9v) : Incomplete fix for (bsc#1265983) CVE-2026-3949: integer overflow bypass in vvdec_push_data2 * CVE-2026-47254 (GHSA-wqjg-4x9g-6cvg) : Heap Buffer Overflow in `Track::get_next_sample_raw_data()` \-- OOB Chunk Vector Access (bsc#1265987) * CVE-2026-47709 (GHSA-4h72-vqgp-9376) : NULL pointer dereference in heif_image_handle_get_image_tiling for malformed unci image missing ispe (bsc#1265988) * CVE-2026-47714 (GHSA-h4wm-6wwf-qvhx) : Integer overflow in inline mask size calculation causes undersized buffer allocation (bsc#1265989) * CVE-2026-48029 (GHSA-6x5f-qchq-cxqv) : heap OOB read in ImageItem_Grid::decode_grid_tile via irot-induced tile- coordinate underflow (bsc#1265990) * (GHSA-95jx-g5vf-cpp8) : Integer Overflow in SampleAuxInfoReader Offset Calculation (bsc#1265992) * (GHSA-p4r6-6972-g26m) : Incorrect byte-count initialization in BitstreamRange constructor allows container-boundary check bypass (bsc#1265995) * (GHSA-jh2w-m72q-q595) : Out-of-bounds read and assertion- based DoS in EXIF parsing (find_exif_tag / read32) with short EXIF TIFF payload (bsc#1265996) * (GHSA-9h96-c44j-jpq9) : Heap buffer overflow via uint32_t stride overflow in image plane allocation (bsc#1265997) * ## Build / CI * requires C++20 * oss-fuzz integration overhauled * fuzzers for tile API, generic API surface, and per-codec encoders * update to 1.21.2: * build script for JS/WASM now supports building with JPEG2000 and "ISO23001-17 Uncompressed" support. * image sequence SAI data now works when using the OpenH264 decoder plugin * update to 1.21.1: * This patch release only fixes a build error with some GCC versions because of a missing #include. * update to 1.21.0: * This release adds full support for reading and writing HEIF image sequences. libheif will now encode HEIF image sequences with all included codecs. * Since HEIF image sequences are very similar to MP4 videos, this new version is also capable of decoding most MP4 videos (without audio, of course). * heif-enc documentation for sequence encoding * API documentation for reading and writing sequences * Support for image sequences with alpha channels. For most codecs, the alpha channel will be stored in a separate, auxiliary, monochrome track. For ISO/IEC 23001-17 (uncompressed) streams, the alpha channel is stored in the main video track. * Support for sequence track edit lists to define the number of sequence repetitions (without actually repeating the video data). * New encoder plugin using x264 to write H.264-compressed video streams and images. * The FFmpeg decoder plugin will now decode both H.265 and H.264. * Support for HEIF text items and language properties. * CVEs fixed: CVE-2025-68431 * update to 1.20.2: *When opening tiled images, do not check against maximum image size immediately to allow for tile-based decoding of very large images. * Several smaller fixes in writing image sequences * CMake option to disable building of heif-view, which pulls in dependency on SDL * Fixes reading/writing of GIMI content IDs * Some build fixes * Remove conditionals for openh264, we can build against noopenh264 * update to 1.20.1: * Fixes a bug in decoder plugin loading. * Changes from 1.20.0: * Sequences: * API for reading and writing image sequences. You can read and write sequences for all codecs (not just H.265 / AV1, but also JPEG-2000, ISO-23001-17 uncompressed, ...). Currently only intra-coded sequences are supported. * API for reading and writing metadata sequences. The metadata tracks can contain any raw timed data. * Support for SAI (sample auxiliary information). Timed samples (from image sequences or metadata) can have auxiliary data attached. Currently we support TAI timestamps and GIMI content description IDs. * Support for track references. * The API for sequences is described here: https://github.com/strukturag/libheif/wiki/Reading-and-Writing-Sequences * New command line tool heif-view to show HEIF sequences (requires libSDL). * Other new features: * You can specify a security limit for the maximum total memory libheif may use for decoding. This is easier to handle than specifying limits on the maximum image size or single memory allocations. * Support for TAI timestamps (in images and sequences) has been promoted from experimental to stable. * FFMPEG plugin now supports HDR decoding * Header files are now split into individual headers by topic. However, it should still be backwards compatible with heif.h being a catch-all covering the old content. For new functionality (sequences, TAI), you will need to include the specific headers. * All struct names of the API are now also typedefs. * add build requires forbrotli which it looks for since 1.18 * prepare building heif-view * update to 1.19.8: * Set essential flag for transformative properties as required by MIAF. This fixes the display of AVIF images with transformations encoded by libheif in Chrome, which checks whether this flag is set. This mainly affected images encoded by ImageMagick. * If the environment variable LIBHEIF_SECURITY_LIMITS is set to OFF, libheif will not check any security limits. This can be used if a user works with large images and the application software does not allow to adjust the libheif security limits. * Resolved processing 16-bit JPEG-2000 * update to 1.19.7: * Fixes a build error with SVT-AV1 encoder plugin when using reduced symbol visibility * update to 1.19.6: * C++ and Go wrapper licenses have been changed to MIT * supports SVT-AV1 v3.0.0 encoder * support emscripten builds for ES6 modules * Use correct license (these were changed in 2018) * Ensure Name: is conditionalized for the multibuild flavors to not overwrite the .src.rpm (which is a processed .spec) and to allow OBS to properly distinguish them flavors. ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * Desktop Applications Module 15-SP7 zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP7-2026-2622=1 * SUSE Package Hub 15 15-SP7 zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP7-2026-2622=1 ## Package List: * Desktop Applications Module 15-SP7 (aarch64 ppc64le s390x x86_64) * libheif-aom-debuginfo-1.23.0-150700.3.15.1 * libheif-debugsource-1.23.0-150700.3.15.1 * libheif-jpeg-debuginfo-1.23.0-150700.3.15.1 * libheif-dav1d-1.23.0-150700.3.15.1 * libheif1-debuginfo-1.23.0-150700.3.15.1 * libheif1-1.23.0-150700.3.15.1 * libheif-jpeg-1.23.0-150700.3.15.1 *libheif-rav1e-1.23.0-150700.3.15.1 * libheif-rav1e-debuginfo-1.23.0-150700.3.15.1 * libheif-aom-1.23.0-150700.3.15.1 * libheif-dav1d-debuginfo-1.23.0-150700.3.15.1 * SUSE Package Hub 15 15-SP7 (aarch64 ppc64le s390x x86_64) * gdk-pixbuf-loader-libheif-1.23.0-150700.3.15.1 * libheif-debugsource-1.23.0-150700.3.15.1 * gdk-pixbuf-loader-libheif-debuginfo-1.23.0-150700.3.15.1 * libheif-ffmpeg-debuginfo-1.23.0-150700.3.15.1 * libheif-ffmpeg-1.23.0-150700.3.15.1 * libheif-devel-1.23.0-150700.3.15.1 ## References: * https://www.suse.com/security/cve/CVE-2025-68431.html * https://www.suse.com/security/cve/CVE-2026-32738.html * https://www.suse.com/security/cve/CVE-2026-32739.html * https://www.suse.com/security/cve/CVE-2026-32740.html * https://www.suse.com/security/cve/CVE-2026-32741.html * https://www.suse.com/security/cve/CVE-2026-32814.html * https://www.suse.com/security/cve/CVE-2026-32882.html * https://www.suse.com/security/cve/CVE-2026-3949.html * https://www.suse.com/security/cve/CVE-2026-3950.html * https://www.suse.com/security/cve/CVE-2026-41069.html * https://www.suse.com/security/cve/CVE-2026-41071.html * https://www.suse.com/security/cve/CVE-2026-47178.html * https://www.suse.com/security/cve/CVE-2026-47247.html * https://www.suse.com/security/cve/CVE-2026-47251.html * https://www.suse.com/security/cve/CVE-2026-47254.html * https://www.suse.com/security/cve/CVE-2026-47709.html * https://www.suse.com/security/cve/CVE-2026-47714.html * https://www.suse.com/security/cve/CVE-2026-48029.html * https://www.suse.com/security/cve/CVE-2026-49271.html * https://www.suse.com/security/cve/CVE-2026-50142.html * https://bugzilla.suse.com/show_bug.cgi?id=1255735 * https://bugzilla.suse.com/show_bug.cgi?id=1259544 * https://bugzilla.suse.com/show_bug.cgi?id=1265874 * https://bugzilla.suse.com/show_bug.cgi?id=1265875 * https://bugzilla.suse.com/show_bug.cgi?id=1265876 * https://bugzilla.suse.com/show_bug.cgi?id=1265877 *https://bugzilla.suse.com/show_bug.cgi?id=1265878 * https://bugzilla.suse.com/show_bug.cgi?id=1265879 * https://bugzilla.suse.com/show_bug.cgi?id=1265979 * https://bugzilla.suse.com/show_bug.cgi?id=1265980 * https://bugzilla.suse.com/show_bug.cgi?id=1265981 * https://bugzilla.suse.com/show_bug.cgi?id=1265982 * https://bugzilla.suse.com/show_bug.cgi?id=1265983 * https://bugzilla.suse.com/show_bug.cgi?id=1265987 * https://bugzilla.suse.com/show_bug.cgi?id=1265988 * https://bugzilla.suse.com/show_bug.cgi?id=1265989 * https://bugzilla.suse.com/show_bug.cgi?id=1265990 * https://bugzilla.suse.com/show_bug.cgi?id=1265992 * https://bugzilla.suse.com/show_bug.cgi?id=1265995 * https://bugzilla.suse.com/show_bug.cgi?id=1265996 * https://bugzilla.suse.com/show_bug.cgi?id=1265997 * https://bugzilla.suse.com/show_bug.cgi?id=1266281 * https://bugzilla.suse.com/show_bug.cgi?id=1266282 * https://bugzilla.suse.com/show_bug.cgi?id=1267455 . An update addressing 20 vulnerabilities in libheif with important security fixes is now available for SUSE systems.. SUSE libheif update vulnerabilities fixes. . Severity: Important. LinuxSecurity.com Team

Calendar%202 Jun 24, 2026 Important SuSE
100

SUSE 16.0 libheif Important Heap Overflow DoS Fix 2026-22153-1

An update that solves 20 vulnerabilities and has five fixes can now be installed.. # Security update for libheif Announcement ID: SUSE-SU-2026:22153-1 Release Date: 2026-06-17T08:37:36Z Rating: important References: * bsc#1255735 * bsc#1259541 * bsc#1259544 * bsc#1265874 * bsc#1265875 * bsc#1265876 * bsc#1265877 * bsc#1265878 * bsc#1265879 * bsc#1265979 * bsc#1265980 * bsc#1265981 * bsc#1265982 * bsc#1265983 * bsc#1265987 * bsc#1265988 * bsc#1265989 * bsc#1265990 * bsc#1265992 * bsc#1265995 * bsc#1265996 * bsc#1265997 * bsc#1266281 * bsc#1266282 * bsc#1267455 Cross-References: * CVE-2025-68431 * CVE-2026-32738 * CVE-2026-32739 * CVE-2026-32740 * CVE-2026-32741 * CVE-2026-32814 * CVE-2026-32882 * CVE-2026-3949 * CVE-2026-3950 * CVE-2026-41069 * CVE-2026-41071 * CVE-2026-47178 * CVE-2026-47247 * CVE-2026-47251 * CVE-2026-47254 * CVE-2026-47709 * CVE-2026-47714 * CVE-2026-48029 * CVE-2026-49271 * CVE-2026-50142 CVSS scores: * CVE-2025-68431 ( SUSE ): 6.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2025-68431 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2025-68431 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2025-68431 ( NVD ): 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H * CVE-2026-32738 ( SUSE ): 6.0 CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-32738 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2026-32738 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2026-32738 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2026-32739 ( SUSE ): 5.7 CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-32739 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2026-32739 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2026-32740 ( SUSE ): 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N * CVE-2026-32740 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H * CVE-2026-32740 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H * CVE-2026-32741 ( SUSE ): 6.9 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N * CVE-2026-32741 ( SUSE ): 6.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H * CVE-2026-32741 ( NVD ): 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H * CVE-2026-32814 ( SUSE ): 5.7 CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N * CVE-2026-32814 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N * CVE-2026-32814 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N * CVE-2026-32882 ( SUSE ): 7.0 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-32882 ( SUSE ): 6.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H * CVE-2026-32882 ( NVD ): 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H * CVE-2026-3949 ( SUSE ): 4.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N * CVE-2026-3949 ( SUSE ): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L * CVE-2026-3949 ( NVD ): 1.9 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-3949 ( NVD ): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L * CVE-2026-3950 ( SUSE ): 4.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N * CVE-2026-3950 ( SUSE ): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L * CVE-2026-3950 ( NVD ): 1.9 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-3950 ( NVD ): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L * CVE-2026-41069 ( SUSE ): 6.9 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N *CVE-2026-41069 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2026-41069 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2026-41071 ( SUSE ): 7.0 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-41071 ( SUSE ): 6.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H * CVE-2026-41071 ( NVD ): 5.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-41071 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H * CVE-2026-47178 ( SUSE ): 8.6 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N * CVE-2026-47178 ( SUSE ): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H * CVE-2026-47247 ( SUSE ): 6.9 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N * CVE-2026-47247 ( SUSE ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N * CVE-2026-47251 ( SUSE ): 6.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-47251 ( SUSE ): 6.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H * CVE-2026-47254 ( SUSE ): 7.0 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-47254 ( SUSE ): 6.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H * CVE-2026-47709 ( SUSE ): 6.9 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-47709 ( SUSE ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-47714 ( SUSE ): 7.0 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-47714 ( SUSE ): 6.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H * CVE-2026-48029 ( SUSE ): 7.0 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-48029 ( SUSE ): 6.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H * CVE-2026-49271 ( SUSE ): 6.7 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-49271 ( SUSE ): 5.5CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2026-49271 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2026-50142 ( SUSE ): 6.9 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-50142 ( SUSE ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: * SUSE Linux Enterprise Server 16.0 * SUSE Linux Enterprise Server for SAP applications 16.0 An update that solves 20 vulnerabilities and has five fixes can now be installed. ## Description: This update for libheif fixes the following issues Update to 1.23.0: * CVE-2025-68431: heap buffer over-read in `HeifPixelImage: overlay()` via crafted HEIF that exercises the overlay image item (bsc#1255735). * CVE-2026-3949: manipulation of the argument size of a malicious frame can lead to out-of-bounds read (bsc#1259541). * CVE-2026-3950: manipulation of the component stsz/stts can lead to out-of- bounds read (bsc#1259544). * CVE-2026-32738: Heap OOB Read / SEGV Crash via Zero samples_per_chunk in stsc (bsc#1265874). * CVE-2026-32739: Infinite Loop DoS in stts Sample Duration Lookup (bsc#1265875). * CVE-2026-32740: Heap-Buffer-Overflow Write in Grid Tile Chroma Compositing (bsc#1265876). * CVE-2026-32741: heap buffer overflow in decode_mask_image() (bsc#1265877). * CVE-2026-32814: Uninitialized Heap Memory Information Leak via Failed Grid Tiles (bsc#1265878). * CVE-2026-32882: Heap Buffer OOB Read in overlay compositing due to wrong alpha stride (bsc#1265879). * CVE-2026-41069: Out-of-bounds vector access leading to invalid dereference (bsc#1265979). * CVE-2026-41071: Heap buffer over-read in SampleAuxInfoReader via crafted HEIF sequence file with mismatched saiz sample count (bsc#1265980). * CVE-2026-47178: Heap Out Of Bounds Write in unci subsystem (bsc#1265981). * CVE-2026-47247: Heap Information Disclosure via Grid Image Gap + Uninitialized Pixel Plane Allocation (bsc#1265982). * CVE-2026-47251: integeroverflow bypass in vvdec_push_data2 (bsc#1265983). * CVE-2026-47254: Heap Buffer Overflow in `Track: get_next_sample_raw_data()` \-- OOB Chunk Vector Access (bsc#1265987). * CVE-2026-47709: NULL pointer dereference in heif_image_handle_get_image_tiling for malformed unci image missing ispe (bsc#1265988). * CVE-2026-47714: Integer overflow in inline mask size calculation causes undersized buffer allocation (bsc#1265989). * CVE-2026-48029: heap OOB read in ImageItem_Grid: decode_grid_tile via irot- induced tile-coordinate underflow (bsc#1265990). * CVE-2026-49271: Wrapped icef compressed-unit range check causes out-of- bounds read in uncompressed HEIF decoder (bsc#1266282). * CVE-2026-50142: unbounded heap allocation in HEIF sequence parser (bsc#1267455). * Heap buffer overflow via uint32_t stride overflow in image plane allocation (+ 2 additional instances) (bsc#1265997). * Incorrect byte-count initialization in BitstreamRange constructor allows container-boundary check bypass (bsc#1265995). * Integer Overflow in SampleAuxInfoReader Offset Calculation (bsc#1265992). * Out-of-bounds read and assertion-based DoS in EXIF parsing (find_exif_tag / read32) with short EXIF TIFF payload (bsc#1265996). * Out-of-bounds write in inline mask region API when source mask exceeds declared region (bsc#1266281). * update to 1.23.0: * add API functions to read and write metadata: ambient viewing environment nominal diffuse white luminance * update to 1.22.2: * adds a output_image_nclx_profile_passthrough option to heif_decoding_options * build issues with OpenJPEG plugin (#1813) * non-plain C in header (#1812) * update to 1.22.0: * This is a large release with substantial new functionality, mainly focusing on generalized image formats (e.g., multi- spectral images) and a reworked implementation of ISO/IEC 23001-17 (lossless image codec). * HDR up to 64 bpp * Multi-component images with arbitrary component layouts (multi-spectral images, arbitrary non-visual data) * Filter-array (Bayer / mosaic) images, with debayering in color transformation pipeline * Metadata: chroma-sample location (cloc), sample non- uniformity (snuc), sensor bad-pixel map (sbpm), polarization pattern (splz) * heif-dec can now convert to WebP (thanks to @torusrxxx). * heif-enc can now accept input from WebP, HEIF, pure raw files (including floating point pixel data), and CMYK JPEG (converted to RGB). * TIFF input can now read many TIFF formats used in geospatial imaging, like: 16-bit, signed integers, float samples, tiled TIFFs, GeoTIFF overview images, CMYK JPEG, YCbCr-as-JPEG. TIFFs with image tiling and multi- resolution layers are now reproduced as HEIFs when converted. * PNG decoder/encoder: cICP, cLLI, and mDCV chunk support (#1697). * heif-dec: auto-correct option to fix known input errors (e.g. mismatched NCLX/VUI). * Image, Track, Sequence samples, image component GIMI content IDs * Embedding of Turtle (.ttl) metadata files; automatic parsing of GIMI content IDs from Turtle * AOM encoder plugin now auto-selects IQ tune mode * mini-box syntax updated to the current HEIF version 4 draft (thanks @bradh for the initial implementation) * unif brand (globally-unique-ID) support * OMAF (omnidirectional images): indicate ISO/IEC 23000-22 spherical/omnidirectional image projection * alpha bit-depth tracked through the color-conversion pipeline * ## Build / CI * requires C++20 * oss-fuzz integration overhauled * fuzzers for tile API, generic API surface, and per-codec encoders * update to 1.21.2: * build script for JS/WASM now supports building with JPEG2000 and "ISO23001-17 Uncompressed" support. * image sequence SAI data now works when using the OpenH264 decoder plugin * update to 1.21.1: * This patch release only fixes a build error with some GCC versions because of a missing #include. * update to 1.21.0: * This release adds full support for reading and writing HEIFimage sequences. libheif will now encode HEIF image sequences with all included codecs. * Since HEIF image sequences are very similar to MP4 videos, this new version is also capable of decoding most MP4 videos (without audio, of course). * heif-enc documentation for sequence encoding * API documentation for reading and writing sequences * Support for image sequences with alpha channels. For most codecs, the alpha channel will be stored in a separate, auxiliary, monochrome track. For ISO/IEC 23001-17 (uncompressed) streams, the alpha channel is stored in the main video track. * Support for sequence track edit lists to define the number of sequence repetitions (without actually repeating the video data). * New encoder plugin using x264 to write H.264-compressed video streams and images. * The FFmpeg decoder plugin will now decode both H.265 and H.264. * Support for HEIF text items and language properties. * version 1.20 requires at least ffmpeg 4, so go with version 7+ * update to 1.20.2: * When opening tiled images, do not check against maximum image size immediately to allow for tile-based decoding of very large images. * Several smaller fixes in writing image sequences * CMake option to disable building of heif-view, which pulls in dependency on SDL * Fixes reading/writing of GIMI content IDs * Some build fixes * Remove conditionals for openh264, we can build against noopenh264 * update to 1.20.1: * Fixes a bug in decoder plugin loading. * Changes from 1.20.0: * Sequences: * API for reading and writing image sequences. You can read and write sequences for all codecs (not just H.265 / AV1, but also JPEG-2000, ISO-23001-17 uncompressed, ...). Currently only intra-coded sequences are supported. * API for reading and writing metadata sequences. The metadata tracks can contain any raw timed data. * Support for SAI (sample auxiliary information). Timed samples (from image sequences or metadata) can have auxiliarydata attached. Currently we support TAI timestamps and GIMI content description IDs. * Support for track references. * The API for sequences is described here: https://github.com/strukturag/libheif/wiki/Reading-and-Writing-Sequences * New command line tool heif-view to show HEIF sequences (requires libSDL). * Other new features: * You can specify a security limit for the maximum total memory libheif may use for decoding. This is easier to handle than specifying limits on the maximum image size or single memory allocations. * Support for TAI timestamps (in images and sequences) has been promoted from experimental to stable. * FFMPEG plugin now supports HDR decoding * Header files are now split into individual headers by topic. However, it should still be backwards compatible with heif.h being a catch-all covering the old content. For new functionality (sequences, TAI), you will need to include the specific headers. * All struct names of the API are now also typedefs. * add build requires for brotli which it looks for since 1.18 * prepare building heif-view * update to 1.19.8: * Set essential flag for transformative properties as required by MIAF. This fixes the display of AVIF images with transformations encoded by libheif in Chrome, which checks whether this flag is set. This mainly affected images encoded by ImageMagick. * If the environment variable LIBHEIF_SECURITY_LIMITS is set to OFF, libheif will not check any security limits. This can be used if a user works with large images and the application software does not allow to adjust the libheif security limits. * Resolved processing 16-bit JPEG-2000 ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Linux Enterprise Server 16.0 zypper in -t patch SUSE-SLES-16.0-939=1 * SUSE Linux Enterprise Server forSAP applications 16.0 zypper in -t patch SUSE-SLES-16.0-939=1 ## Package List: * SUSE Linux Enterprise Server for SAP applications 16.0 (ppc64le x86_64) * libheif-rav1e-debuginfo-1.23.0-160000.1.1 * libheif-rav1e-1.23.0-160000.1.1 * libheif-ffmpeg-1.23.0-160000.1.1 * libheif1-1.23.0-160000.1.1 * libheif-jpeg-debuginfo-1.23.0-160000.1.1 * libheif-aom-debuginfo-1.23.0-160000.1.1 * gdk-pixbuf-loader-libheif-1.23.0-160000.1.1 * gdk-pixbuf-loader-libheif-debuginfo-1.23.0-160000.1.1 * libheif-ffmpeg-debuginfo-1.23.0-160000.1.1 * libheif-jpeg-1.23.0-160000.1.1 * libheif-dav1d-1.23.0-160000.1.1 * libheif1-debuginfo-1.23.0-160000.1.1 * libheif-debugsource-1.23.0-160000.1.1 * libheif-dav1d-debuginfo-1.23.0-160000.1.1 * libheif-aom-1.23.0-160000.1.1 * libheif-openjpeg-1.23.0-160000.1.1 * libheif-openjpeg-debuginfo-1.23.0-160000.1.1 * SUSE Linux Enterprise Server for SAP applications 16.0 (x86_64) * libheif-svtenc-1.23.0-160000.1.1 * libheif-svtenc-debuginfo-1.23.0-160000.1.1 * SUSE Linux Enterprise Server 16.0 (aarch64 ppc64le s390x x86_64) * libheif-rav1e-debuginfo-1.23.0-160000.1.1 * libheif-rav1e-1.23.0-160000.1.1 * libheif-ffmpeg-1.23.0-160000.1.1 * libheif1-1.23.0-160000.1.1 * libheif-jpeg-debuginfo-1.23.0-160000.1.1 * libheif-aom-debuginfo-1.23.0-160000.1.1 * gdk-pixbuf-loader-libheif-1.23.0-160000.1.1 * gdk-pixbuf-loader-libheif-debuginfo-1.23.0-160000.1.1 * libheif-ffmpeg-debuginfo-1.23.0-160000.1.1 * libheif-jpeg-1.23.0-160000.1.1 * libheif-dav1d-1.23.0-160000.1.1 * libheif1-debuginfo-1.23.0-160000.1.1 * libheif-debugsource-1.23.0-160000.1.1 * libheif-dav1d-debuginfo-1.23.0-160000.1.1 * libheif-aom-1.23.0-160000.1.1 * libheif-openjpeg-1.23.0-160000.1.1 * libheif-openjpeg-debuginfo-1.23.0-160000.1.1 * SUSE Linux Enterprise Server 16.0 (aarch64 x86_64) * libheif-svtenc-1.23.0-160000.1.1 * libheif-svtenc-debuginfo-1.23.0-160000.1.1 ## References: *https://www.suse.com/security/cve/CVE-2025-68431.html * https://www.suse.com/security/cve/CVE-2026-32738.html * https://www.suse.com/security/cve/CVE-2026-32739.html * https://www.suse.com/security/cve/CVE-2026-32740.html * https://www.suse.com/security/cve/CVE-2026-32741.html * https://www.suse.com/security/cve/CVE-2026-32814.html * https://www.suse.com/security/cve/CVE-2026-32882.html * https://www.suse.com/security/cve/CVE-2026-3949.html * https://www.suse.com/security/cve/CVE-2026-3950.html * https://www.suse.com/security/cve/CVE-2026-41069.html * https://www.suse.com/security/cve/CVE-2026-41071.html * https://www.suse.com/security/cve/CVE-2026-47178.html * https://www.suse.com/security/cve/CVE-2026-47247.html * https://www.suse.com/security/cve/CVE-2026-47251.html * https://www.suse.com/security/cve/CVE-2026-47254.html * https://www.suse.com/security/cve/CVE-2026-47709.html * https://www.suse.com/security/cve/CVE-2026-47714.html * https://www.suse.com/security/cve/CVE-2026-48029.html * https://www.suse.com/security/cve/CVE-2026-49271.html * https://www.suse.com/security/cve/CVE-2026-50142.html * https://bugzilla.suse.com/show_bug.cgi?id=1255735 * https://bugzilla.suse.com/show_bug.cgi?id=1259541 * https://bugzilla.suse.com/show_bug.cgi?id=1259544 * https://bugzilla.suse.com/show_bug.cgi?id=1265874 * https://bugzilla.suse.com/show_bug.cgi?id=1265875 * https://bugzilla.suse.com/show_bug.cgi?id=1265876 * https://bugzilla.suse.com/show_bug.cgi?id=1265877 * https://bugzilla.suse.com/show_bug.cgi?id=1265878 * https://bugzilla.suse.com/show_bug.cgi?id=1265879 * https://bugzilla.suse.com/show_bug.cgi?id=1265979 * https://bugzilla.suse.com/show_bug.cgi?id=1265980 * https://bugzilla.suse.com/show_bug.cgi?id=1265981 * https://bugzilla.suse.com/show_bug.cgi?id=1265982 * https://bugzilla.suse.com/show_bug.cgi?id=1265983 * https://bugzilla.suse.com/show_bug.cgi?id=1265987 * https://bugzilla.suse.com/show_bug.cgi?id=1265988 *https://bugzilla.suse.com/show_bug.cgi?id=1265989 * https://bugzilla.suse.com/show_bug.cgi?id=1265990 * https://bugzilla.suse.com/show_bug.cgi?id=1265992 * https://bugzilla.suse.com/show_bug.cgi?id=1265995 * https://bugzilla.suse.com/show_bug.cgi?id=1265996 * https://bugzilla.suse.com/show_bug.cgi?id=1265997 * https://bugzilla.suse.com/show_bug.cgi?id=1266281 * https://bugzilla.suse.com/show_bug.cgi?id=1266282 * https://bugzilla.suse.com/show_bug.cgi?id=1267455 . Important SUSE security update for libheif addresses 20 issues including multiple heap buffer overflows.. SUSE security update, libheif vulnerabilities, important patch, out-of-bounds fixes, heap overflow. . Severity: Important. LinuxSecurity.com Team

Calendar%202 Jun 23, 2026 Important SuSE
News Add Esm H240

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Community Poll

Is continuous patching actually viable?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum {0} answer(s).
Please select maximum {0} answer(s).
/main-polls/156-is-continuous-patching-actually-viable?task=poll.vote&format=json
156
radio
0
[{"id":503,"title":"Delayed updates invite catastrophic breaches.","votes":1,"type":"x","order":1,"pct":50,"resources":[]},{"id":504,"title":"Automated fixes break production environments.","votes":1,"type":"x","order":2,"pct":50,"resources":[]},{"id":505,"title":"Manual approvals cannot keep pace.","votes":0,"type":"x","order":3,"pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
bottom 200