{"id":"USN-8526-2","summary":"libheif vulnerabilities","details":"USN-8526-1 fixed vulnerabilities in libheif. This update provides the\ncorresponding updates for CVE-2026-47709 and CVE-2026-47714 in\nUbuntu 24.04 LTS.\n\nOriginal advisory details:\n\n Junyi Liu discovered that libheif had a null pointer dereference in its\n image tiling interface. An attacker could possibly use this issue to\n cause a denial of service. (CVE-2026-47709)\n\n Calvin Young and Enoch Chow discovered that libheif had an integer\n overflow in its inline mask size calculation. An attacker could\n possibly use this issue to cause a denial of service or obtain sensitive\n information. (CVE-2026-47714)","modified":"2026-07-14T23:44:41.506382344Z","published":"2026-07-14T16:29:55Z","related":["UBUNTU-CVE-2026-47709","UBUNTU-CVE-2026-47714"],"upstream":["CVE-2026-47709","CVE-2026-47714","UBUNTU-CVE-2026-47709","UBUNTU-CVE-2026-47714"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-8526-2"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-47709"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-47714"}],"affected":[{"package":{"name":"libheif","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/libheif?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.17.6-1ubuntu4.6"}]}],"versions":["1.16.2-2ubuntu1","1.17.1-1ubuntu2","1.17.1-1ubuntu3","1.17.4-1ubuntu1","1.17.6-1ubuntu1","1.17.6-1ubuntu2","1.17.6-1ubuntu3","1.17.6-1ubuntu4","1.17.6-1ubuntu4.1","1.17.6-1ubuntu4.2","1.17.6-1ubuntu4.3","1.17.6-1ubuntu4.4","1.17.6-1ubuntu4.5"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_version":"1.17.6-1ubuntu4.6","binary_name":"heif-gdk-pixbuf"},{"binary_name":"heif-thumbnailer","binary_version":"1.17.6-1ubuntu4.6"},{"binary_name":"libheif-examples","binary_version":"1.17.6-1ubuntu4.6"},{"binary_version":"1.17.6-1ubuntu4.6","binary_name":"libheif-plugin-aomdec"},{"binary_name":"libheif-plugin-aomenc","binary_version":"1.17.6-1ubuntu4.6"},{"binary_version":"1.17.6-1ubuntu4.6","binary_name":"libheif-plugin-dav1d"},{"binary_version":"1.17.6-1ubuntu4.6","binary_name":"libheif-plugin-ffmpegdec"},{"binary_name":"libheif-plugin-j2kdec","binary_version":"1.17.6-1ubuntu4.6"},{"binary_name":"libheif-plugin-j2kenc","binary_version":"1.17.6-1ubuntu4.6"},{"binary_name":"libheif-plugin-jpegdec","binary_version":"1.17.6-1ubuntu4.6"},{"binary_version":"1.17.6-1ubuntu4.6","binary_name":"libheif-plugin-jpegenc"},{"binary_version":"1.17.6-1ubuntu4.6","binary_name":"libheif-plugin-libde265"},{"binary_name":"libheif-plugin-rav1e","binary_version":"1.17.6-1ubuntu4.6"},{"binary_name":"libheif-plugin-svtenc","binary_version":"1.17.6-1ubuntu4.6"},{"binary_version":"1.17.6-1ubuntu4.6","binary_name":"libheif-plugin-x265"},{"binary_name":"libheif1","binary_version":"1.17.6-1ubuntu4.6"}]},"database_specific":{"cves_map":{"ecosystem":"Ubuntu:24.04:LTS","cves":[{"id":"CVE-2026-47709","severity":[{"type":"Ubuntu","score":"medium"}]},{"severity":[{"score":"medium","type":"Ubuntu"}],"id":"CVE-2026-47714"}]},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8526-2.json"}}],"schema_version":"1.7.5"}