usn-8454-1
Vulnerability from osv_ubuntu
Elhanan Haenel discovered that libheif incorrectly handled certain malformed HEIF sequence files. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-32738)
Elhanan Haenel discovered that libheif incorrectly handled certain malformed HEIF sequence files, leading to an infinite loop. An attacker could possibly use this issue to cause libheif to use excessive resources, resulting in a denial of service. This issue only affected Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-32739)
Elhanan Haenel discovered that libheif incorrectly handled certain crafted HEIF/AVIF image files. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. This issue only affected Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-32740)
It was discovered that libheif incorrectly handled certain crafted HEIF files containing mask images. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. This issue only affected Ubuntu 24.04 LTS, Ubuntu 25.10, and Ubuntu 26.04 LTS. (CVE-2026-32741)
It was discovered that libheif incorrectly handled certain crafted grid-based HEIF/AVIF files. An attacker could possibly use this issue to obtain sensitive information. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, Ubuntu 25.10, and Ubuntu 26.04 LTS. (CVE-2026-32814)
It was discovered that libheif incorrectly handled certain crafted HEIF files when compositing overlay images. An attacker could possibly use this issue to cause a denial of service or obtain sensitive information. (CVE-2026-32882)
It was discovered that libheif incorrectly handled certain crafted files. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-3950)
It was discovered that libheif incorrectly handled certain malformed HEIF sequence files. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-41069)
It was discovered that libheif incorrectly handled certain crafted HEIF sequence files. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-41071)
{
"affected": [
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2026-32882",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:Pro:18.04:LTS"
}
},
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "libheif-examples",
"binary_version": "1.1.0-2ubuntu0.1~esm3"
},
{
"binary_name": "libheif1",
"binary_version": "1.1.0-2ubuntu0.1~esm3"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:18.04:LTS",
"name": "libheif",
"purl": "pkg:deb/ubuntu/libheif@1.1.0-2ubuntu0.1~esm3?arch=source\u0026distro=esm-apps/bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.0-2ubuntu0.1~esm3"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.1.0-2",
"1.1.0-2ubuntu0.1~esm1",
"1.1.0-2ubuntu0.1~esm2"
]
},
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2026-32814",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2026-32882",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:Pro:20.04:LTS"
}
},
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "heif-gdk-pixbuf",
"binary_version": "1.6.1-1ubuntu0.1~esm3"
},
{
"binary_name": "heif-thumbnailer",
"binary_version": "1.6.1-1ubuntu0.1~esm3"
},
{
"binary_name": "libheif-examples",
"binary_version": "1.6.1-1ubuntu0.1~esm3"
},
{
"binary_name": "libheif1",
"binary_version": "1.6.1-1ubuntu0.1~esm3"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:20.04:LTS",
"name": "libheif",
"purl": "pkg:deb/ubuntu/libheif@1.6.1-1ubuntu0.1~esm3?arch=source\u0026distro=esm-apps/focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.1-1ubuntu0.1~esm3"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.5.0-1build1",
"1.5.1-1",
"1.5.1-1build1",
"1.6.0-1",
"1.6.1-1",
"1.6.1-1build1",
"1.6.1-1ubuntu0.1~esm1",
"1.6.1-1ubuntu0.1~esm2"
]
},
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2026-32814",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2026-32882",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:Pro:22.04:LTS"
}
},
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "heif-gdk-pixbuf",
"binary_version": "1.12.0-2ubuntu0.1~esm3"
},
{
"binary_name": "heif-thumbnailer",
"binary_version": "1.12.0-2ubuntu0.1~esm3"
},
{
"binary_name": "libheif-examples",
"binary_version": "1.12.0-2ubuntu0.1~esm3"
},
{
"binary_name": "libheif1",
"binary_version": "1.12.0-2ubuntu0.1~esm3"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:22.04:LTS",
"name": "libheif",
"purl": "pkg:deb/ubuntu/libheif@1.12.0-2ubuntu0.1~esm3?arch=source\u0026distro=esm-apps/jammy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.12.0-2ubuntu0.1~esm3"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.11.0-1",
"1.12.0-2build1",
"1.12.0-2ubuntu0.1~esm1",
"1.12.0-2ubuntu0.1~esm2"
]
},
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2026-32741",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2026-32814",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2026-32882",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:24.04:LTS"
}
},
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "heif-gdk-pixbuf",
"binary_version": "1.17.6-1ubuntu4.4"
},
{
"binary_name": "heif-thumbnailer",
"binary_version": "1.17.6-1ubuntu4.4"
},
{
"binary_name": "libheif-examples",
"binary_version": "1.17.6-1ubuntu4.4"
},
{
"binary_name": "libheif-plugin-aomdec",
"binary_version": "1.17.6-1ubuntu4.4"
},
{
"binary_name": "libheif-plugin-aomenc",
"binary_version": "1.17.6-1ubuntu4.4"
},
{
"binary_name": "libheif-plugin-dav1d",
"binary_version": "1.17.6-1ubuntu4.4"
},
{
"binary_name": "libheif-plugin-ffmpegdec",
"binary_version": "1.17.6-1ubuntu4.4"
},
{
"binary_name": "libheif-plugin-j2kdec",
"binary_version": "1.17.6-1ubuntu4.4"
},
{
"binary_name": "libheif-plugin-j2kenc",
"binary_version": "1.17.6-1ubuntu4.4"
},
{
"binary_name": "libheif-plugin-jpegdec",
"binary_version": "1.17.6-1ubuntu4.4"
},
{
"binary_name": "libheif-plugin-jpegenc",
"binary_version": "1.17.6-1ubuntu4.4"
},
{
"binary_name": "libheif-plugin-libde265",
"binary_version": "1.17.6-1ubuntu4.4"
},
{
"binary_name": "libheif-plugin-rav1e",
"binary_version": "1.17.6-1ubuntu4.4"
},
{
"binary_name": "libheif-plugin-svtenc",
"binary_version": "1.17.6-1ubuntu4.4"
},
{
"binary_name": "libheif-plugin-x265",
"binary_version": "1.17.6-1ubuntu4.4"
},
{
"binary_name": "libheif1",
"binary_version": "1.17.6-1ubuntu4.4"
}
]
},
"package": {
"ecosystem": "Ubuntu:24.04:LTS",
"name": "libheif",
"purl": "pkg:deb/ubuntu/libheif@1.17.6-1ubuntu4.4?arch=source\u0026distro=noble"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.17.6-1ubuntu4.4"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.16.2-2ubuntu1",
"1.17.1-1ubuntu2",
"1.17.1-1ubuntu3",
"1.17.4-1ubuntu1",
"1.17.6-1ubuntu1",
"1.17.6-1ubuntu2",
"1.17.6-1ubuntu3",
"1.17.6-1ubuntu4",
"1.17.6-1ubuntu4.1",
"1.17.6-1ubuntu4.2",
"1.17.6-1ubuntu4.3"
]
},
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2026-3950",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2026-32738",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2026-32739",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2026-32740",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2026-32741",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2026-32814",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2026-32882",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2026-41069",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2026-41071",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
},
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:25.10"
}
},
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "heif-gdk-pixbuf",
"binary_version": "1.20.2-1ubuntu0.4"
},
{
"binary_name": "heif-thumbnailer",
"binary_version": "1.20.2-1ubuntu0.4"
},
{
"binary_name": "heif-view",
"binary_version": "1.20.2-1ubuntu0.4"
},
{
"binary_name": "libheif-examples",
"binary_version": "1.20.2-1ubuntu0.4"
},
{
"binary_name": "libheif-plugin-aomdec",
"binary_version": "1.20.2-1ubuntu0.4"
},
{
"binary_name": "libheif-plugin-aomenc",
"binary_version": "1.20.2-1ubuntu0.4"
},
{
"binary_name": "libheif-plugin-dav1d",
"binary_version": "1.20.2-1ubuntu0.4"
},
{
"binary_name": "libheif-plugin-ffmpegdec",
"binary_version": "1.20.2-1ubuntu0.4"
},
{
"binary_name": "libheif-plugin-j2kdec",
"binary_version": "1.20.2-1ubuntu0.4"
},
{
"binary_name": "libheif-plugin-j2kenc",
"binary_version": "1.20.2-1ubuntu0.4"
},
{
"binary_name": "libheif-plugin-jpegdec",
"binary_version": "1.20.2-1ubuntu0.4"
},
{
"binary_name": "libheif-plugin-jpegenc",
"binary_version": "1.20.2-1ubuntu0.4"
},
{
"binary_name": "libheif-plugin-kvazaar",
"binary_version": "1.20.2-1ubuntu0.4"
},
{
"binary_name": "libheif-plugin-libde265",
"binary_version": "1.20.2-1ubuntu0.4"
},
{
"binary_name": "libheif-plugin-rav1e",
"binary_version": "1.20.2-1ubuntu0.4"
},
{
"binary_name": "libheif-plugin-svtenc",
"binary_version": "1.20.2-1ubuntu0.4"
},
{
"binary_name": "libheif-plugin-x265",
"binary_version": "1.20.2-1ubuntu0.4"
},
{
"binary_name": "libheif-plugins-all",
"binary_version": "1.20.2-1ubuntu0.4"
},
{
"binary_name": "libheif1",
"binary_version": "1.20.2-1ubuntu0.4"
}
]
},
"package": {
"ecosystem": "Ubuntu:25.10",
"name": "libheif",
"purl": "pkg:deb/ubuntu/libheif@1.20.2-1ubuntu0.4?arch=source\u0026distro=questing"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.20.2-1ubuntu0.4"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.19.7-1",
"1.19.8-1",
"1.20.2-1",
"1.20.2-1ubuntu0.1",
"1.20.2-1ubuntu0.3"
]
},
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2026-3950",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2026-32738",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2026-32739",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2026-32740",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2026-32741",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2026-32814",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2026-32882",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2026-41069",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2026-41071",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
},
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:26.04:LTS"
}
},
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "heif-gdk-pixbuf",
"binary_version": "1.21.2-3ubuntu0.1"
},
{
"binary_name": "heif-thumbnailer",
"binary_version": "1.21.2-3ubuntu0.1"
},
{
"binary_name": "heif-view",
"binary_version": "1.21.2-3ubuntu0.1"
},
{
"binary_name": "libheif-examples",
"binary_version": "1.21.2-3ubuntu0.1"
},
{
"binary_name": "libheif-plugin-aomdec",
"binary_version": "1.21.2-3ubuntu0.1"
},
{
"binary_name": "libheif-plugin-aomenc",
"binary_version": "1.21.2-3ubuntu0.1"
},
{
"binary_name": "libheif-plugin-dav1d",
"binary_version": "1.21.2-3ubuntu0.1"
},
{
"binary_name": "libheif-plugin-ffmpegdec",
"binary_version": "1.21.2-3ubuntu0.1"
},
{
"binary_name": "libheif-plugin-j2kdec",
"binary_version": "1.21.2-3ubuntu0.1"
},
{
"binary_name": "libheif-plugin-j2kenc",
"binary_version": "1.21.2-3ubuntu0.1"
},
{
"binary_name": "libheif-plugin-jpegdec",
"binary_version": "1.21.2-3ubuntu0.1"
},
{
"binary_name": "libheif-plugin-jpegenc",
"binary_version": "1.21.2-3ubuntu0.1"
},
{
"binary_name": "libheif-plugin-kvazaar",
"binary_version": "1.21.2-3ubuntu0.1"
},
{
"binary_name": "libheif-plugin-libde265",
"binary_version": "1.21.2-3ubuntu0.1"
},
{
"binary_name": "libheif-plugin-rav1e",
"binary_version": "1.21.2-3ubuntu0.1"
},
{
"binary_name": "libheif-plugin-svtenc",
"binary_version": "1.21.2-3ubuntu0.1"
},
{
"binary_name": "libheif-plugin-x265",
"binary_version": "1.21.2-3ubuntu0.1"
},
{
"binary_name": "libheif-plugins-all",
"binary_version": "1.21.2-3ubuntu0.1"
},
{
"binary_name": "libheif1",
"binary_version": "1.21.2-3ubuntu0.1"
}
]
},
"package": {
"ecosystem": "Ubuntu:26.04:LTS",
"name": "libheif",
"purl": "pkg:deb/ubuntu/libheif@1.21.2-3ubuntu0.1?arch=source\u0026distro=resolute"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.21.2-3ubuntu0.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.20.2-1",
"1.20.2-2",
"1.20.2-2build1",
"1.20.2-2build2",
"1.20.2-2ubuntu1",
"1.21.2-1",
"1.21.2-3"
]
}
],
"aliases": [],
"details": "Elhanan Haenel discovered that libheif incorrectly handled certain\nmalformed HEIF sequence files. An attacker could possibly use this\nissue to cause a denial of service. This issue only affected Ubuntu 25.10\nand Ubuntu 26.04 LTS. (CVE-2026-32738)\n\nElhanan Haenel discovered that libheif incorrectly handled certain\nmalformed HEIF sequence files, leading to an infinite loop. An attacker\ncould possibly use this issue to cause libheif to use excessive\nresources, resulting in a denial of service. This issue only affected\nUbuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-32739)\n\nElhanan Haenel discovered that libheif incorrectly handled certain\ncrafted HEIF/AVIF image files. An attacker could possibly use this issue\nto cause a denial of service or execute arbitrary code. This issue only\naffected Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-32740)\n\nIt was discovered that libheif incorrectly handled certain crafted HEIF\nfiles containing mask images. An attacker could possibly use this issue to\ncause a denial of service or execute arbitrary code. This issue only\naffected Ubuntu 24.04 LTS, Ubuntu 25.10, and Ubuntu 26.04 LTS.\n(CVE-2026-32741)\n\nIt was discovered that libheif incorrectly handled certain crafted\ngrid-based HEIF/AVIF files. An attacker could possibly use this issue to\nobtain sensitive information. This issue only affected Ubuntu 20.04 LTS,\nUbuntu 22.04 LTS, Ubuntu 24.04 LTS, Ubuntu 25.10, and Ubuntu 26.04 LTS.\n(CVE-2026-32814)\n\nIt was discovered that libheif incorrectly handled certain crafted HEIF\nfiles when compositing overlay images. An attacker could possibly use this\nissue to cause a denial of service or obtain sensitive information.\n(CVE-2026-32882)\n\nIt was discovered that libheif incorrectly handled certain crafted\nfiles. An attacker could possibly use this issue to cause a denial of\nservice. This issue only affected Ubuntu 25.10 and Ubuntu 26.04 LTS.\n(CVE-2026-3950)\n\nIt was discovered that libheif incorrectly handled certain malformed\nHEIF sequence files. An attacker could possibly use this issue to cause a\ndenial of service. This issue only affected Ubuntu 25.10 and Ubuntu 26.04\nLTS. (CVE-2026-41069)\n\nIt was discovered that libheif incorrectly handled certain crafted HEIF\nsequence files. An attacker could possibly use this issue to cause a denial\nof service. This issue only affected Ubuntu 25.10 and Ubuntu 26.04 LTS.\n(CVE-2026-41071)",
"id": "USN-8454-1",
"modified": "2026-06-30T15:55:21Z",
"published": "2026-06-18T16:41:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-8454-1"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2026-3950"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2026-32738"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2026-32739"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2026-32740"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2026-32741"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2026-32814"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2026-32882"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2026-41069"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2026-41071"
}
],
"related": [],
"schema_version": "1.7.0",
"summary": "libheif vulnerabilities",
"upstream": [
"UBUNTU-CVE-2026-3950",
"UBUNTU-CVE-2026-32738",
"UBUNTU-CVE-2026-32739",
"UBUNTU-CVE-2026-32740",
"UBUNTU-CVE-2026-32741",
"UBUNTU-CVE-2026-32814",
"UBUNTU-CVE-2026-32882",
"UBUNTU-CVE-2026-41069",
"UBUNTU-CVE-2026-41071"
]
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.