CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

USN-8526-1: libheif vulnerabilities

unknownCVE-2026-47254CVE-2026-47709CVE-2026-47714CVE-2026-48029CVE-2026-50142
Xianrui Dong discovered that libheif had an out-of-bounds read in its HEIF sequence track parser. An attacker could possibly use this issue to cause a denial of service or obtain sensitive information. This issue only affected Ubuntu 26.04 LTS. (CVE-2026-47254) Junyi Liu discovered that libheif had a null pointer dereference in its image tiling interface. An attacker could possibly use this issue to cause a denial of service. (CVE-2026-47709) Calvin Young and Enoch Chow discovered that libheif had an integer overflow in its inline mask size calculation. An attacker could possibly use this issue to cause a denial of service or obtain sensitive information. (CVE-2026-47714) Ariel Koren discovered that libheif had an integer underflow in its grid image tile coordinate transform. An attacker could possibly use this issue to cause a denial of service or obtain sensitive information. (CVE-2026-48029) It was discovered that libheif had a missing bound check in its HEIF sequence parser, allowing unbounded heap allocation. An attacker could possibly use this issue to cause a denial of service. (CVE-2026-50142)

CSIRTS triage

What
libheif has multiple vulnerabilities that could lead to denial of service or information disclosure.
Who is affected
Only Ubuntu 26.04 LTS deployments are affected.
Urgency
Remediation is urgent due to the potential for denial of service and information disclosure.
Action
Update to the latest version of libheif.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch libheif

Get an email when a new libheif advisory drops — max one per day, one-click unsubscribe.

Details

Source
Ubuntu Security Notices (INTL · vendor-psirt · site)
Severity
unknown
Published
2026-07-09
Exploitation
Not in CISA KEV at last sync

Original advisory: https://ubuntu.com/security/notices/USN-8526-1

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-47254coverage & exploitation statusNVD · CVE.org
CVE-2026-47709coverage & exploitation statusNVD · CVE.org
CVE-2026-47714coverage & exploitation statusNVD · CVE.org
CVE-2026-48029coverage & exploitation statusNVD · CVE.org
CVE-2026-50142coverage & exploitation statusNVD · CVE.org

More from Ubuntu Security Notices