==========================================================================
Ubuntu Security Notice USN-8479-1
June 29, 2026

libheif vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 26.04 LTS
- Ubuntu 25.10

Summary:

Several security issues were fixed in libheif.

Software Description:
- libheif: An ISO/IEC 23008-12:2017 HEIF and AVIF file format decoder and 
encoder

Details:

It was discovered that libheif incorrectly handled certain crafted HEIF
files. An attacker could possibly use this issue to cause a denial of
service or execute arbitrary code. (CVE-2026-47178)

It was discovered that libheif incorrectly validated offsets when
decoding certain crafted HEIF files. An attacker could possibly use this
issue to cause a denial of service. This issue only affected Ubuntu 26.04
LTS. (CVE-2026-49271)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 26.04 LTS
  heif-gdk-pixbuf                 1.21.2-3ubuntu0.2
  heif-thumbnailer                1.21.2-3ubuntu0.2
  heif-view                       1.21.2-3ubuntu0.2
  libheif-dev                     1.21.2-3ubuntu0.2
  libheif-plugin-aomdec           1.21.2-3ubuntu0.2
  libheif-plugin-aomenc           1.21.2-3ubuntu0.2
  libheif-plugin-dav1d            1.21.2-3ubuntu0.2
  libheif-plugin-ffmpegdec        1.21.2-3ubuntu0.2
  libheif-plugin-j2kdec           1.21.2-3ubuntu0.2
  libheif-plugin-j2kenc           1.21.2-3ubuntu0.2
  libheif-plugin-jpegdec          1.21.2-3ubuntu0.2
  libheif-plugin-jpegenc          1.21.2-3ubuntu0.2
  libheif-plugin-kvazaar          1.21.2-3ubuntu0.2
  libheif-plugin-libde265         1.21.2-3ubuntu0.2
  libheif-plugin-rav1e            1.21.2-3ubuntu0.2
  libheif-plugin-svtenc           1.21.2-3ubuntu0.2
  libheif-plugin-x265             1.21.2-3ubuntu0.2
  libheif-plugins-all             1.21.2-3ubuntu0.2
  libheif1                        1.21.2-3ubuntu0.2

Ubuntu 25.10
  heif-gdk-pixbuf                 1.20.2-1ubuntu0.5
  heif-thumbnailer                1.20.2-1ubuntu0.5
  heif-view                       1.20.2-1ubuntu0.5
  libheif-dev                     1.20.2-1ubuntu0.5
  libheif-plugin-aomdec           1.20.2-1ubuntu0.5
  libheif-plugin-aomenc           1.20.2-1ubuntu0.5
  libheif-plugin-dav1d            1.20.2-1ubuntu0.5
  libheif-plugin-ffmpegdec        1.20.2-1ubuntu0.5
  libheif-plugin-j2kdec           1.20.2-1ubuntu0.5
  libheif-plugin-j2kenc           1.20.2-1ubuntu0.5
  libheif-plugin-jpegdec          1.20.2-1ubuntu0.5
  libheif-plugin-jpegenc          1.20.2-1ubuntu0.5
  libheif-plugin-kvazaar          1.20.2-1ubuntu0.5
  libheif-plugin-libde265         1.20.2-1ubuntu0.5
  libheif-plugin-rav1e            1.20.2-1ubuntu0.5
  libheif-plugin-svtenc           1.20.2-1ubuntu0.5
  libheif-plugin-x265             1.20.2-1ubuntu0.5
  libheif-plugins-all             1.20.2-1ubuntu0.5
  libheif1                        1.20.2-1ubuntu0.5

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-8479-1
  CVE-2026-47178, CVE-2026-49271

Package Information:
  https://launchpad.net/ubuntu/+source/libheif/1.21.2-3ubuntu0.2
  https://launchpad.net/ubuntu/+source/libheif/1.20.2-1ubuntu0.5

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to