USN-8454-1
- Source
- https://ubuntu.com/security/notices/USN-8454-1
- Import Source
- https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8454-1.json
- JSON Data
- https://api.osv.dev/v1/vulns/USN-8454-1
- Upstream
- Related
- Published
- 2026-06-18T16:41:59Z
- Modified
- 2026-06-18T22:14:12.694074951Z
- Summary
- libheif vulnerabilities
- Details
-
Elhanan Haenel discovered that libheif incorrectly handled certain malformed HEIF sequence files. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-32738)
Elhanan Haenel discovered that libheif incorrectly handled certain malformed HEIF sequence files, leading to an infinite loop. An attacker could possibly use this issue to cause libheif to use excessive resources, resulting in a denial of service. This issue only affected Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-32739)
Elhanan Haenel discovered that libheif incorrectly handled certain crafted HEIF/AVIF image files. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. This issue only affected Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-32740)
It was discovered that libheif incorrectly handled certain crafted HEIF files containing mask images. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. This issue only affected Ubuntu 24.04 LTS, Ubuntu 25.10, and Ubuntu 26.04 LTS. (CVE-2026-32741)
It was discovered that libheif incorrectly handled certain crafted grid-based HEIF/AVIF files. An attacker could possibly use this issue to obtain sensitive information. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, Ubuntu 25.10, and Ubuntu 26.04 LTS. (CVE-2026-32814)
It was discovered that libheif incorrectly handled certain crafted HEIF files when compositing overlay images. An attacker could possibly use this issue to cause a denial of service or obtain sensitive information. (CVE-2026-32882)
It was discovered that libheif incorrectly handled certain crafted files. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-3950)
It was discovered that libheif incorrectly handled certain malformed HEIF sequence files. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-41069)
It was discovered that libheif incorrectly handled certain crafted HEIF sequence files. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-41071)
- References
-
- https://ubuntu.com/security/notices/USN-8454-1
- https://ubuntu.com/security/CVE-2026-3950
- https://ubuntu.com/security/CVE-2026-32738
- https://ubuntu.com/security/CVE-2026-32739
- https://ubuntu.com/security/CVE-2026-32740
- https://ubuntu.com/security/CVE-2026-32741
- https://ubuntu.com/security/CVE-2026-32814
- https://ubuntu.com/security/CVE-2026-32882
- https://ubuntu.com/security/CVE-2026-41069
- https://ubuntu.com/security/CVE-2026-41071
Affected packages
Ubuntu:24.04:LTS
libheif
Package
- Name
- libheif
- Purl
- pkg:deb/ubuntu/libheif?arch=source&distro=noble
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.17.6-1ubuntu4.4
Affected versions
1.*
1.16.2-2ubuntu1
1.17.1-1ubuntu2
1.17.1-1ubuntu3
1.17.4-1ubuntu1
1.17.6-1ubuntu1
1.17.6-1ubuntu2
1.17.6-1ubuntu3
1.17.6-1ubuntu4
1.17.6-1ubuntu4.1
1.17.6-1ubuntu4.2
1.17.6-1ubuntu4.3
Ecosystem specific
{
"availability": "No subscription required",
"binaries": [
{
"binary_version": "1.17.6-1ubuntu4.4",
"binary_name": "heif-gdk-pixbuf"
},
{
"binary_version": "1.17.6-1ubuntu4.4",
"binary_name": "heif-thumbnailer"
},
{
"binary_version": "1.17.6-1ubuntu4.4",
"binary_name": "libheif-examples"
},
{
"binary_version": "1.17.6-1ubuntu4.4",
"binary_name": "libheif-plugin-aomdec"
},
{
"binary_version": "1.17.6-1ubuntu4.4",
"binary_name": "libheif-plugin-aomenc"
},
{
"binary_version": "1.17.6-1ubuntu4.4",
"binary_name": "libheif-plugin-dav1d"
},
{
"binary_version": "1.17.6-1ubuntu4.4",
"binary_name": "libheif-plugin-ffmpegdec"
},
{
"binary_version": "1.17.6-1ubuntu4.4",
"binary_name": "libheif-plugin-j2kdec"
},
{
"binary_version": "1.17.6-1ubuntu4.4",
"binary_name": "libheif-plugin-j2kenc"
},
{
"binary_version": "1.17.6-1ubuntu4.4",
"binary_name": "libheif-plugin-jpegdec"
},
{
"binary_version": "1.17.6-1ubuntu4.4",
"binary_name": "libheif-plugin-jpegenc"
},
{
"binary_version": "1.17.6-1ubuntu4.4",
"binary_name": "libheif-plugin-libde265"
},
{
"binary_version": "1.17.6-1ubuntu4.4",
"binary_name": "libheif-plugin-rav1e"
},
{
"binary_version": "1.17.6-1ubuntu4.4",
"binary_name": "libheif-plugin-svtenc"
},
{
"binary_version": "1.17.6-1ubuntu4.4",
"binary_name": "libheif-plugin-x265"
},
{
"binary_version": "1.17.6-1ubuntu4.4",
"binary_name": "libheif1"
}
]
}Database specific
cves_map
{
"cves": [
{
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H"
},
{
"type": "Ubuntu",
"score": "medium"
}
],
"id": "CVE-2026-32741"
},
{
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"
},
{
"type": "Ubuntu",
"score": "medium"
}
],
"id": "CVE-2026-32814"
},
{
"id": "CVE-2026-32882",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H"
},
{
"type": "Ubuntu",
"score": "medium"
}
]
}
],
"ecosystem": "Ubuntu:24.04:LTS"
}
source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8454-1.json"
Ubuntu:25.10
libheif
Package
- Name
- libheif
- Purl
- pkg:deb/ubuntu/libheif?arch=source&distro=questing
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.20.2-1ubuntu0.4
Ecosystem specific
{
"availability": "No subscription required",
"binaries": [
{
"binary_version": "1.20.2-1ubuntu0.4",
"binary_name": "heif-gdk-pixbuf"
},
{
"binary_version": "1.20.2-1ubuntu0.4",
"binary_name": "heif-thumbnailer"
},
{
"binary_version": "1.20.2-1ubuntu0.4",
"binary_name": "heif-view"
},
{
"binary_version": "1.20.2-1ubuntu0.4",
"binary_name": "libheif-examples"
},
{
"binary_version": "1.20.2-1ubuntu0.4",
"binary_name": "libheif-plugin-aomdec"
},
{
"binary_version": "1.20.2-1ubuntu0.4",
"binary_name": "libheif-plugin-aomenc"
},
{
"binary_version": "1.20.2-1ubuntu0.4",
"binary_name": "libheif-plugin-dav1d"
},
{
"binary_version": "1.20.2-1ubuntu0.4",
"binary_name": "libheif-plugin-ffmpegdec"
},
{
"binary_version": "1.20.2-1ubuntu0.4",
"binary_name": "libheif-plugin-j2kdec"
},
{
"binary_version": "1.20.2-1ubuntu0.4",
"binary_name": "libheif-plugin-j2kenc"
},
{
"binary_version": "1.20.2-1ubuntu0.4",
"binary_name": "libheif-plugin-jpegdec"
},
{
"binary_version": "1.20.2-1ubuntu0.4",
"binary_name": "libheif-plugin-jpegenc"
},
{
"binary_version": "1.20.2-1ubuntu0.4",
"binary_name": "libheif-plugin-kvazaar"
},
{
"binary_version": "1.20.2-1ubuntu0.4",
"binary_name": "libheif-plugin-libde265"
},
{
"binary_version": "1.20.2-1ubuntu0.4",
"binary_name": "libheif-plugin-rav1e"
},
{
"binary_version": "1.20.2-1ubuntu0.4",
"binary_name": "libheif-plugin-svtenc"
},
{
"binary_version": "1.20.2-1ubuntu0.4",
"binary_name": "libheif-plugin-x265"
},
{
"binary_version": "1.20.2-1ubuntu0.4",
"binary_name": "libheif-plugins-all"
},
{
"binary_version": "1.20.2-1ubuntu0.4",
"binary_name": "libheif1"
}
]
}Database specific
cves_map
{
"cves": [
{
"id": "CVE-2026-3950",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"
},
{
"type": "CVSS_V4",
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P"
},
{
"type": "Ubuntu",
"score": "medium"
}
]
},
{
"id": "CVE-2026-32738",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
},
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
},
{
"type": "Ubuntu",
"score": "medium"
}
]
},
{
"id": "CVE-2026-32739",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
},
{
"type": "Ubuntu",
"score": "medium"
}
]
},
{
"id": "CVE-2026-32740",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
},
{
"type": "Ubuntu",
"score": "medium"
}
]
},
{
"id": "CVE-2026-32741",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H"
},
{
"type": "Ubuntu",
"score": "medium"
}
]
},
{
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"
},
{
"type": "Ubuntu",
"score": "medium"
}
],
"id": "CVE-2026-32814"
},
{
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H"
},
{
"type": "Ubuntu",
"score": "medium"
}
],
"id": "CVE-2026-32882"
},
{
"id": "CVE-2026-41069",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
},
{
"type": "Ubuntu",
"score": "medium"
}
]
},
{
"severity": [
{
"type": "CVSS_V4",
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N"
},
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H"
},
{
"type": "Ubuntu",
"score": "medium"
}
],
"id": "CVE-2026-41071"
}
],
"ecosystem": "Ubuntu:25.10"
}
source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8454-1.json"
Ubuntu:26.04:LTS
libheif
Package
- Name
- libheif
- Purl
- pkg:deb/ubuntu/libheif?arch=source&distro=resolute
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.21.2-3ubuntu0.1
Affected versions
1.*
1.20.2-1
1.20.2-2
1.20.2-2build1
1.20.2-2build2
1.20.2-2ubuntu1
1.21.2-1
1.21.2-3
Ecosystem specific
{
"availability": "No subscription required",
"binaries": [
{
"binary_version": "1.21.2-3ubuntu0.1",
"binary_name": "heif-gdk-pixbuf"
},
{
"binary_version": "1.21.2-3ubuntu0.1",
"binary_name": "heif-thumbnailer"
},
{
"binary_version": "1.21.2-3ubuntu0.1",
"binary_name": "heif-view"
},
{
"binary_version": "1.21.2-3ubuntu0.1",
"binary_name": "libheif-examples"
},
{
"binary_version": "1.21.2-3ubuntu0.1",
"binary_name": "libheif-plugin-aomdec"
},
{
"binary_version": "1.21.2-3ubuntu0.1",
"binary_name": "libheif-plugin-aomenc"
},
{
"binary_version": "1.21.2-3ubuntu0.1",
"binary_name": "libheif-plugin-dav1d"
},
{
"binary_version": "1.21.2-3ubuntu0.1",
"binary_name": "libheif-plugin-ffmpegdec"
},
{
"binary_version": "1.21.2-3ubuntu0.1",
"binary_name": "libheif-plugin-j2kdec"
},
{
"binary_version": "1.21.2-3ubuntu0.1",
"binary_name": "libheif-plugin-j2kenc"
},
{
"binary_version": "1.21.2-3ubuntu0.1",
"binary_name": "libheif-plugin-jpegdec"
},
{
"binary_version": "1.21.2-3ubuntu0.1",
"binary_name": "libheif-plugin-jpegenc"
},
{
"binary_version": "1.21.2-3ubuntu0.1",
"binary_name": "libheif-plugin-kvazaar"
},
{
"binary_version": "1.21.2-3ubuntu0.1",
"binary_name": "libheif-plugin-libde265"
},
{
"binary_version": "1.21.2-3ubuntu0.1",
"binary_name": "libheif-plugin-rav1e"
},
{
"binary_version": "1.21.2-3ubuntu0.1",
"binary_name": "libheif-plugin-svtenc"
},
{
"binary_version": "1.21.2-3ubuntu0.1",
"binary_name": "libheif-plugin-x265"
},
{
"binary_version": "1.21.2-3ubuntu0.1",
"binary_name": "libheif-plugins-all"
},
{
"binary_version": "1.21.2-3ubuntu0.1",
"binary_name": "libheif1"
}
]
}Database specific
cves_map
{
"cves": [
{
"id": "CVE-2026-3950",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"
},
{
"type": "CVSS_V4",
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P"
},
{
"type": "Ubuntu",
"score": "medium"
}
]
},
{
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
},
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
},
{
"type": "Ubuntu",
"score": "medium"
}
],
"id": "CVE-2026-32738"
},
{
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
},
{
"type": "Ubuntu",
"score": "medium"
}
],
"id": "CVE-2026-32739"
},
{
"id": "CVE-2026-32740",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
},
{
"type": "Ubuntu",
"score": "medium"
}
]
},
{
"id": "CVE-2026-32741",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H"
},
{
"type": "Ubuntu",
"score": "medium"
}
]
},
{
"id": "CVE-2026-32814",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"
},
{
"type": "Ubuntu",
"score": "medium"
}
]
},
{
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H"
},
{
"type": "Ubuntu",
"score": "medium"
}
],
"id": "CVE-2026-32882"
},
{
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
},
{
"type": "Ubuntu",
"score": "medium"
}
],
"id": "CVE-2026-41069"
},
{
"id": "CVE-2026-41071",
"severity": [
{
"type": "CVSS_V4",
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N"
},
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H"
},
{
"type": "Ubuntu",
"score": "medium"
}
]
}
],
"ecosystem": "Ubuntu:26.04:LTS"
}
source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8454-1.json"
Ubuntu:Pro:18.04:LTS
libheif
Package
- Name
- libheif
- Purl
- pkg:deb/ubuntu/libheif?arch=source&distro=esm-apps%2Fbionic
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.1.0-2ubuntu0.1~esm3
Ecosystem specific
{
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_version": "1.1.0-2ubuntu0.1~esm3",
"binary_name": "libheif-examples"
},
{
"binary_version": "1.1.0-2ubuntu0.1~esm3",
"binary_name": "libheif1"
}
]
}Database specific
cves_map
{
"cves": [
{
"id": "CVE-2026-32882",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H"
},
{
"type": "Ubuntu",
"score": "medium"
}
]
}
],
"ecosystem": "Ubuntu:Pro:18.04:LTS"
}
source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8454-1.json"
Ubuntu:Pro:20.04:LTS
libheif
Package
- Name
- libheif
- Purl
- pkg:deb/ubuntu/libheif?arch=source&distro=esm-apps%2Ffocal
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.6.1-1ubuntu0.1~esm3
Affected versions
1.*
1.5.0-1build1
1.5.1-1
1.5.1-1build1
1.6.0-1
1.6.1-1
1.6.1-1build1
1.6.1-1ubuntu0.1~esm1
1.6.1-1ubuntu0.1~esm2
Ecosystem specific
{
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_version": "1.6.1-1ubuntu0.1~esm3",
"binary_name": "heif-gdk-pixbuf"
},
{
"binary_version": "1.6.1-1ubuntu0.1~esm3",
"binary_name": "heif-thumbnailer"
},
{
"binary_version": "1.6.1-1ubuntu0.1~esm3",
"binary_name": "libheif-examples"
},
{
"binary_version": "1.6.1-1ubuntu0.1~esm3",
"binary_name": "libheif1"
}
]
}Database specific
cves_map
{
"cves": [
{
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"
},
{
"type": "Ubuntu",
"score": "medium"
}
],
"id": "CVE-2026-32814"
},
{
"id": "CVE-2026-32882",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H"
},
{
"type": "Ubuntu",
"score": "medium"
}
]
}
],
"ecosystem": "Ubuntu:Pro:20.04:LTS"
}
source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8454-1.json"
Ubuntu:Pro:22.04:LTS
libheif
Package
- Name
- libheif
- Purl
- pkg:deb/ubuntu/libheif?arch=source&distro=esm-apps%2Fjammy
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.12.0-2ubuntu0.1~esm3
Ecosystem specific
{
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_version": "1.12.0-2ubuntu0.1~esm3",
"binary_name": "heif-gdk-pixbuf"
},
{
"binary_version": "1.12.0-2ubuntu0.1~esm3",
"binary_name": "heif-thumbnailer"
},
{
"binary_version": "1.12.0-2ubuntu0.1~esm3",
"binary_name": "libheif-examples"
},
{
"binary_version": "1.12.0-2ubuntu0.1~esm3",
"binary_name": "libheif1"
}
]
}Database specific
cves_map
{
"cves": [
{
"id": "CVE-2026-32814",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"
},
{
"type": "Ubuntu",
"score": "medium"
}
]
},
{
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H"
},
{
"type": "Ubuntu",
"score": "medium"
}
],
"id": "CVE-2026-32882"
}
],
"ecosystem": "Ubuntu:Pro:22.04:LTS"
}
source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8454-1.json"