CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-47709

unknowncovered by 1 sourcefirst seen 2026-07-09
Xianrui Dong discovered that libheif had an out-of-bounds read in its HEIF sequence track parser. An attacker could possibly use this issue to cause a denial of service or obtain sensitive information. This issue only affected Ubuntu 26.04 LTS. (CVE-2026-47254) Junyi Liu discovered that libheif had a null pointer dereference in its image tiling interface. An attacker could possibly use this issue to cause a denial of service. (CVE-2026-47709) Calvin Young and Enoch Chow discovered that libheif had an integer overflow in its inline mask size calculation. An attacker could possibly use this issue to cause a denial of service or obtain sensitive information. (CVE-2026-47714) Ariel Koren discovered that libheif had an integer underflow in its grid image tile coordinate transform. An attacker could possibly use this issue to cause a denial of service or obtain sensitive information. (CVE-2026-48029) It was discovered that libheif had a missing bound check in its HEIF sequence parser, allowing unbounded heap allocation. An attacker could possibly use this issue to cause a denial of service. (CVE-2026-50142)

CSIRTS triage

What
libheif has multiple vulnerabilities that could lead to denial of service or information disclosure.
Who is affected
Only Ubuntu 26.04 LTS deployments are affected.
Urgency
Remediation is urgent due to the potential for denial of service and information disclosure.
Action
Update to the latest version of libheif.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch CVE-2026-47709

Get an email if CVE-2026-47709 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Advisory coverage (1)

External references

NVD record for CVE-2026-47709

CVE.org record

Embed the live status

CVE-2026-47709 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-47709 status](https://www.csirts.com/badge/CVE-2026-47709)](https://www.csirts.com/cve/CVE-2026-47709)