SecurityHome.eu [USN-8454-1] libheif vulnerabilities

Home / mailings PDF

[USN-8454-1] libheif vulnerabilities
Posted on 18 June 2026
Ubuntu Security
==========================================================================Ubuntu Security Notice USN-8454-1
June 18, 2026

libheif vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 26.04 LTS
- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in libheif.

Software Description:
- libheif: An ISO/IEC 23008-12:2017 HEIF and AVIF file format decoder and encoder

Details:

Elhanan Haenel discovered that libheif incorrectly handled certain
malformed HEIF sequence files. An attacker could possibly use this
issue to cause a denial of service. This issue only affected Ubuntu 25.10
and Ubuntu 26.04 LTS. (CVE-2026-32738)

Elhanan Haenel discovered that libheif incorrectly handled certain
malformed HEIF sequence files, leading to an infinite loop. An attacker
could possibly use this issue to cause libheif to use excessive
resources, resulting in a denial of service. This issue only affected
Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-32739)

Elhanan Haenel discovered that libheif incorrectly handled certain
crafted HEIF/AVIF image files. An attacker could possibly use this issue
to cause a denial of service or execute arbitrary code. This issue only
affected Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-32740)

It was discovered that libheif incorrectly handled certain crafted HEIF
files containing mask images. An attacker could possibly use this issue to
cause a denial of service or execute arbitrary code. This issue only
affected Ubuntu 24.04 LTS, Ubuntu 25.10, and Ubuntu 26.04 LTS.
(CVE-2026-32741)

It was discovered that libheif incorrectly handled certain crafted
grid-based HEIF/AVIF files. An attacker could possibly use this issue to
obtain sensitive information. This issue only affected Ubuntu 20.04 LTS,
Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, Ubuntu 25.10, and Ubuntu 26.04 LTS.
(CVE-2026-32814)

It was discovered that libheif incorrectly handled certain crafted HEIF
files when compositing overlay images. An attacker could possibly use this
issue to cause a denial of service or obtain sensitive information.
(CVE-2026-32882)

It was discovered that libheif incorrectly handled certain crafted
files. An attacker could possibly use this issue to cause a denial of
service. This issue only affected Ubuntu 25.10 and Ubuntu 26.04 LTS.
(CVE-2026-3950)

It was discovered that libheif incorrectly handled certain malformed
HEIF sequence files. An attacker could possibly use this issue to cause a
denial of service. This issue only affected Ubuntu 25.10 and Ubuntu 26.04
LTS. (CVE-2026-41069)

It was discovered that libheif incorrectly handled certain crafted HEIF
sequence files. An attacker could possibly use this issue to cause a denial
of service. This issue only affected Ubuntu 25.10 and Ubuntu 26.04 LTS.
(CVE-2026-41071)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 26.04 LTS
heif-gdk-pixbuf 1.21.2-3ubuntu0.1
heif-thumbnailer 1.21.2-3ubuntu0.1
heif-view 1.21.2-3ubuntu0.1
libheif-dev 1.21.2-3ubuntu0.1
libheif-plugin-aomdec 1.21.2-3ubuntu0.1
libheif-plugin-aomenc 1.21.2-3ubuntu0.1
libheif-plugin-dav1d 1.21.2-3ubuntu0.1
libheif-plugin-ffmpegdec 1.21.2-3ubuntu0.1
libheif-plugin-j2kdec 1.21.2-3ubuntu0.1
libheif-plugin-j2kenc 1.21.2-3ubuntu0.1
libheif-plugin-jpegdec 1.21.2-3ubuntu0.1
libheif-plugin-jpegenc 1.21.2-3ubuntu0.1
libheif-plugin-kvazaar 1.21.2-3ubuntu0.1
libheif-plugin-libde265 1.21.2-3ubuntu0.1
libheif-plugin-rav1e 1.21.2-3ubuntu0.1
libheif-plugin-svtenc 1.21.2-3ubuntu0.1
libheif-plugin-x265 1.21.2-3ubuntu0.1
libheif-plugins-all 1.21.2-3ubuntu0.1
libheif1 1.21.2-3ubuntu0.1

Ubuntu 25.10
heif-gdk-pixbuf 1.20.2-1ubuntu0.4
heif-thumbnailer 1.20.2-1ubuntu0.4
heif-view 1.20.2-1ubuntu0.4
libheif-dev 1.20.2-1ubuntu0.4
libheif-plugin-aomdec 1.20.2-1ubuntu0.4
libheif-plugin-aomenc 1.20.2-1ubuntu0.4
libheif-plugin-dav1d 1.20.2-1ubuntu0.4
libheif-plugin-ffmpegdec 1.20.2-1ubuntu0.4
libheif-plugin-j2kdec 1.20.2-1ubuntu0.4
libheif-plugin-j2kenc 1.20.2-1ubuntu0.4
libheif-plugin-jpegdec 1.20.2-1ubuntu0.4
libheif-plugin-jpegenc 1.20.2-1ubuntu0.4
libheif-plugin-kvazaar 1.20.2-1ubuntu0.4
libheif-plugin-libde265 1.20.2-1ubuntu0.4
libheif-plugin-rav1e 1.20.2-1ubuntu0.4
libheif-plugin-svtenc 1.20.2-1ubuntu0.4
libheif-plugin-x265 1.20.2-1ubuntu0.4
libheif-plugins-all 1.20.2-1ubuntu0.4
libheif1 1.20.2-1ubuntu0.4

Ubuntu 24.04 LTS
heif-gdk-pixbuf 1.17.6-1ubuntu4.4
heif-thumbnailer 1.17.6-1ubuntu4.4
libheif-dev 1.17.6-1ubuntu4.4
libheif-plugin-aomdec 1.17.6-1ubuntu4.4
libheif-plugin-aomenc 1.17.6-1ubuntu4.4
libheif-plugin-dav1d 1.17.6-1ubuntu4.4
libheif-plugin-ffmpegdec 1.17.6-1ubuntu4.4
libheif-plugin-j2kdec 1.17.6-1ubuntu4.4
libheif-plugin-j2kenc 1.17.6-1ubuntu4.4
libheif-plugin-jpegdec 1.17.6-1ubuntu4.4
libheif-plugin-jpegenc 1.17.6-1ubuntu4.4
libheif-plugin-libde265 1.17.6-1ubuntu4.4
libheif-plugin-rav1e 1.17.6-1ubuntu4.4
libheif-plugin-svtenc 1.17.6-1ubuntu4.4
libheif-plugin-x265 1.17.6-1ubuntu4.4
libheif1 1.17.6-1ubuntu4.4

Ubuntu 22.04 LTS
heif-gdk-pixbuf 1.12.0-2ubuntu0.1~esm3
Available with Ubuntu Pro
heif-thumbnailer 1.12.0-2ubuntu0.1~esm3
Available with Ubuntu Pro
libheif-dev 1.12.0-2ubuntu0.1~esm3
Available with Ubuntu Pro
libheif1 1.12.0-2ubuntu0.1~esm3
Available with Ubuntu Pro

Ubuntu 20.04 LTS
heif-gdk-pixbuf 1.6.1-1ubuntu0.1~esm3
Available with Ubuntu Pro
heif-thumbnailer 1.6.1-1ubuntu0.1~esm3
Available with Ubuntu Pro
libheif-dev 1.6.1-1ubuntu0.1~esm3
Available with Ubuntu Pro
libheif1 1.6.1-1ubuntu0.1~esm3
Available with Ubuntu Pro

Ubuntu 18.04 LTS
libheif-dev 1.1.0-2ubuntu0.1~esm3
Available with Ubuntu Pro
libheif1 1.1.0-2ubuntu0.1~esm3
Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-8454-1
CVE-2026-32738, CVE-2026-32739, CVE-2026-32740, CVE-2026-32741,
CVE-2026-32814, CVE-2026-32882, CVE-2026-3950, CVE-2026-41069,
CVE-2026-41071

Package Information:
https://launchpad.net/ubuntu/+source/libheif/1.21.2-3ubuntu0.1
https://launchpad.net/ubuntu/+source/libheif/1.20.2-1ubuntu0.4
https://launchpad.net/ubuntu/+source/libheif/1.17.6-1ubuntu4.4

--===============4645206278218705712==Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature

TOP

Mailings :

Last 20

Exploits :

Last 20