ESB-2026.6996
=========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2026.6996 Security update for libheif 25 June 2026 =========================================================================== AUSCERT Security Bulletin Summary --------------------------------- Product: libheif Publisher: SUSE Operating System: SUSE Resolution: Patch/Upgrade CVE Names: CVE-2026-47178 CVE-2026-47247 CVE-2026-47251 CVE-2026-47254 CVE-2026-47709 CVE-2026-47714 CVE-2026-48029 CVE-2026-49271 CVE-2026-50142 CVE-2026-32738 CVE-2026-32739 CVE-2026-32740 CVE-2026-32741 CVE-2026-32814 CVE-2026-32882 CVE-2026-3950 CVE-2026-41069 CVE-2026-41071 CVE-2026-3949 CVE-2025-68431 Original Bulletin: https://www.suse.com/support/update/announcement/2026/suse-su-20262622-1 Comment: CVSS (Max): 8.4 CVE-2026-47178 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: SUSE Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H EPSS (Max): 0.4% (35th)* CVE-2026-32740 2026-06-24 * Not all EPSS found when published - --------------------------BEGIN INCLUDED TEXT-------------------- Security update for libheif Announcement ID: SUSE-SU-2026:2622-1 Release Date: 2026-06-24T11:55:37Z Rating: important o bsc#1255735 o bsc#1259544 o bsc#1265874 o bsc#1265875 o bsc#1265876 o bsc#1265877 o bsc#1265878 o bsc#1265879 o bsc#1265979 o bsc#1265980 o bsc#1265981 o bsc#1265982 References: o bsc#1265983 o bsc#1265987 o bsc#1265988 o bsc#1265989 o bsc#1265990 o bsc#1265992 o bsc#1265995 o bsc#1265996 o bsc#1265997 o bsc#1266281 o bsc#1266282 o bsc#1267455 o CVE-2025-68431 o CVE-2026-32738 o CVE-2026-32739 o CVE-2026-32740 o CVE-2026-32741 o CVE-2026-32814 o CVE-2026-32882 o CVE-2026-3949 o CVE-2026-3950 o CVE-2026-41069 Cross-References: o CVE-2026-41071 o CVE-2026-47178 o CVE-2026-47247 o CVE-2026-47251 o CVE-2026-47254 o CVE-2026-47709 o CVE-2026-47714 o CVE-2026-48029 o CVE-2026-49271 o CVE-2026-50142 o CVE-2025-68431 ( SUSE ): 6.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:N /UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N o CVE-2025-68431 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R /S:U/C:N/I:N/A:H o CVE-2025-68431 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/ S:U/C:N/I:N/A:H o CVE-2025-68431 ( NVD ): 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/ S:U/C:L/I:N/A:H o CVE-2026-32738 ( SUSE ): 6.0 CVSS:4.0/AV:N/AC:H/AT:P/PR:L /UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N o CVE-2026-32738 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R /S:U/C:N/I:N/A:H o CVE-2026-32738 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/ S:U/C:N/I:N/A:H o CVE-2026-32738 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/ S:U/C:N/I:N/A:H o CVE-2026-32739 ( SUSE ): 5.7 CVSS:4.0/AV:L/AC:H/AT:P/PR:L /UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N o CVE-2026-32739 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R /S:U/C:N/I:N/A:H o CVE-2026-32739 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/ S:U/C:N/I:N/A:H o CVE-2026-32740 ( SUSE ): 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:L /UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N o CVE-2026-32740 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R /S:U/C:H/I:H/A:H o CVE-2026-32740 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/ S:U/C:H/I:H/A:H o CVE-2026-32741 ( SUSE ): 6.9 CVSS:4.0/AV:L/AC:L/AT:N/PR:L /UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N o CVE-2026-32741 ( SUSE ): 6.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R /S:U/C:N/I:L/A:H o CVE-2026-32741 ( NVD ): 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/ S:U/C:N/I:L/A:H o CVE-2026-32814 ( SUSE ): 5.7 CVSS:4.0/AV:L/AC:H/AT:P/PR:L /UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N o CVE-2026-32814 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R /S:U/C:H/I:N/A:N o CVE-2026-32814 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/ S:U/C:H/I:N/A:N o CVE-2026-32882 ( SUSE ): 7.0 CVSS:4.0/AV:L/AC:L/AT:N/PR:N /UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N o CVE-2026-32882 ( SUSE ): 6.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R /S:U/C:L/I:N/A:H o CVE-2026-32882 ( NVD ): 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/ S:U/C:L/I:N/A:H o CVE-2026-3949 ( SUSE ): 4.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/ UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N o CVE-2026-3949 ( SUSE ): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/ S:U/C:N/I:N/A:L o CVE-2026-3949 ( NVD ): 1.9 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/ UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/ MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/ MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X o CVE-2026-3949 ( NVD ): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/ S:U/C:N/I:N/A:L o CVE-2026-3950 ( SUSE ): 4.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/ UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N o CVE-2026-3950 ( SUSE ): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/ S:U/C:N/I:N/A:L CVSS scores: o CVE-2026-3950 ( NVD ): 1.9 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/ UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/ MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/ MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X o CVE-2026-3950 ( NVD ): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/ S:U/C:N/I:N/A:L o CVE-2026-41069 ( SUSE ): 6.9 CVSS:4.0/AV:L/AC:L/AT:N/PR:N /UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N o CVE-2026-41069 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R /S:U/C:N/I:N/A:H o CVE-2026-41069 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/ S:U/C:N/I:N/A:H o CVE-2026-41071 ( SUSE ): 7.0 CVSS:4.0/AV:L/AC:L/AT:N/PR:N /UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N o CVE-2026-41071 ( SUSE ): 6.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:N /S:U/C:L/I:N/A:H o CVE-2026-41071 ( NVD ): 5.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/ UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/ MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/ MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X o CVE-2026-41071 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/ S:U/C:H/I:N/A:H o CVE-2026-47178 ( SUSE ): 8.6 CVSS:4.0/AV:L/AC:L/AT:N/PR:N /UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N o CVE-2026-47178 ( SUSE ): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N /S:U/C:H/I:H/A:H o CVE-2026-47247 ( SUSE ): 6.9 CVSS:4.0/AV:L/AC:L/AT:N/PR:N /UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N o CVE-2026-47247 ( SUSE ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N /S:U/C:H/I:N/A:N o CVE-2026-47251 ( SUSE ): 6.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:N /UI:A/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N o CVE-2026-47251 ( SUSE ): 6.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R /S:U/C:L/I:N/A:H o CVE-2026-47254 ( SUSE ): 7.0 CVSS:4.0/AV:L/AC:L/AT:N/PR:N /UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N o CVE-2026-47254 ( SUSE ): 6.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:N /S:U/C:L/I:N/A:H o CVE-2026-47709 ( SUSE ): 6.9 CVSS:4.0/AV:L/AC:L/AT:N/PR:N /UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N o CVE-2026-47709 ( SUSE ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N /S:U/C:N/I:N/A:H o CVE-2026-47714 ( SUSE ): 7.0 CVSS:4.0/AV:L/AC:L/AT:N/PR:N /UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N o CVE-2026-47714 ( SUSE ): 6.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R /S:U/C:L/I:N/A:H o CVE-2026-48029 ( SUSE ): 7.0 CVSS:4.0/AV:L/AC:L/AT:N/PR:N /UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N o CVE-2026-48029 ( SUSE ): 6.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R /S:U/C:L/I:N/A:H o CVE-2026-49271 ( SUSE ): 6.7 CVSS:4.0/AV:L/AC:L/AT:N/PR:N /UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N o CVE-2026-49271 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R /S:U/C:N/I:N/A:H o CVE-2026-49271 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/ S:U/C:N/I:N/A:H o CVE-2026-50142 ( SUSE ): 6.9 CVSS:4.0/AV:L/AC:L/AT:N/PR:N /UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N o CVE-2026-50142 ( SUSE ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N /S:U/C:N/I:N/A:H o Desktop Applications Module 15-SP7 o SUSE Linux Enterprise Desktop 15 SP7 Affected o SUSE Linux Enterprise Real Time 15 SP7 Products: o SUSE Linux Enterprise Server 15 SP7 o SUSE Linux Enterprise Server for SAP Applications 15 SP7 o SUSE Package Hub 15 15-SP7 An update that solves 20 vulnerabilities and has four security fixes can now be installed. Description: This update for libheif fixes the following issues Update to 1.23.0: o CVE-2025-68431: heap buffer over-read in HeifPixelImage: overlay() via crafted HEIF that exercises the overlay image item (bsc#1255735). o CVE-2026-3950: manipulation of the component stsz/stts can lead to out-of-bounds read (bsc#1259544). o CVE-2026-32738: Heap OOB Read / SEGV Crash via Zero samples_per_chunk in stsc (bsc#1265874). o CVE-2026-32739: Infinite Loop DoS in stts Sample Duration Lookup (bsc# 1265875). o CVE-2026-32740: Heap-Buffer-Overflow Write in Grid Tile Chroma Compositing (bsc#1265876). o CVE-2026-32741: heap buffer overflow in decode_mask_image() (bsc#1265877). o CVE-2026-32814: Uninitialized Heap Memory Information Leak via Failed Grid Tiles (bsc#1265878). o CVE-2026-32882: Heap Buffer OOB Read in overlay compositing due to wrong alpha stride (bsc#1265879). o CVE-2026-41069: Out-of-bounds vector access leading to invalid dereference (bsc#1265979). o CVE-2026-41071: Heap buffer over-read in SampleAuxInfoReader via crafted HEIF sequence file with mismatched saiz sample count (bsc#1265980). o CVE-2026-47178: Heap Out Of Bounds Write in unci subsystem (bsc#1265981). o CVE-2026-47247: Heap Information Disclosure via Grid Image Gap + Uninitialized Pixel Plane Allocation (bsc#1265982). o CVE-2026-47251: integer overflow bypass in vvdec_push_data2 (bsc#1265983). o CVE-2026-47254: Heap Buffer Overflow in Track: get_next_sample_raw_data() -- OOB Chunk Vector Access (bsc#1265987). o CVE-2026-47709: NULL pointer dereference in heif_image_handle_get_image_tiling for malformed unci image missing ispe (bsc#1265988). o CVE-2026-47714: Integer overflow in inline mask size calculation causes undersized buffer allocation (bsc#1265989). o CVE-2026-48029: heap OOB read in ImageItem_Grid: decode_grid_tile via irot-induced tile-coordinate underflow (bsc#1265990). o CVE-2026-49271: Wrapped icef compressed-unit range check causes out-of-bounds read in uncompressed HEIF decoder (bsc#1266282). o CVE-2026-50142: unbounded heap allocation in HEIF sequence parser (bsc# 1267455). o Heap buffer overflow via uint32_t stride overflow in image plane allocation (+ 2 additional instances) (bsc#1265997). o Incorrect byte-count initialization in BitstreamRange constructor allows container-boundary check bypass (bsc#1265995). o Integer Overflow in SampleAuxInfoReader Offset Calculation (bsc#1265992). o Out-of-bounds read and assertion-based DoS in EXIF parsing (find_exif_tag / read32) with short EXIF TIFF payload (bsc#1265996). o Out-of-bounds write in inline mask region API when source mask exceeds declared region (bsc#1266281). Changes for libheif: o version update to 1.23.0: o add API functions to read and write metadata: ambient viewing environment nominal diffuse white luminance o adds a output_image_nclx_profile_passthrough option to heif_decoding_options o CVE-2026-50142 (GHSA-jvmp-j3cw-84mh) - unbounded heap allocation in HEIF sequence parser (stsz fixed-size mode missing bound check) o version update to 1.22.2: o build issues with OpenJPEG plugin (#1813) o non-plain C in header (#1812) o CVE-2026-49271 (GHSA-r7qj-cg5r-r6vf) - Wrapped icef compressed-unit range check causes out-of-bounds read in uncompressed HEIF decoder o CVE TBD (GHSA-5hqq-636x-r3cr) - Out-of-bounds write in inline mask region API when source mask exceeds declared region o update to 1.22.0: o This is a large release with substantial new functionality, mainly focusing on generalized image formats (e.g., multi- spectral images) and a reworked implementation of ISO/IEC 23001-17 (lossless image codec). o HDR up to 64 bpp o Multi-component images with arbitrary component layouts (multi-spectral images, arbitrary non-visual data) o Filter-array (Bayer / mosaic) images, with debayering in color transformation pipeline o Metadata: chroma-sample location (cloc), sample non- uniformity (snuc), sensor bad-pixel map (sbpm), polarization pattern (splz) o heif-dec can now convert to WebP (thanks to @torusrxxx). o heif-enc can now accept input from WebP, HEIF, pure raw files (including floating point pixel data), and CMYK JPEG (converted to RGB). o TIFF input can now read many TIFF formats used in geospatial imaging, like: 16-bit, signed integers, float samples, tiled TIFFs, GeoTIFF overview images, CMYK JPEG, YCbCr-as-JPEG. TIFFs with image tiling and multi-resolution layers are now reproduced as HEIFs when converted. o PNG decoder/encoder: cICP, cLLI, and mDCV chunk support (#1697). o heif-dec: auto-correct option to fix known input errors (e.g. mismatched NCLX/VUI). o Image, Track, Sequence samples, image component GIMI content IDs o Embedding of Turtle (.ttl) metadata files; automatic parsing of GIMI content IDs from Turtle o AOM encoder plugin now auto-selects IQ tune mode o mini-box syntax updated to the current HEIF version 4 draft (thanks @bradh for the initial implementation) o unif brand (globally-unique-ID) support o OMAF (omnidirectional images): indicate ISO/IEC 23000-22 spherical/ omnidirectional image projection o alpha bit-depth tracked through the color-conversion pipeline o CVE-2026-32738 (GHSA-7f2h-cmpf-v9ww) : Heap OOB Read / SEGV Crash via Zero samples_per_chunk in stsc (bsc#1265874) o CVE-2026-32739 (GHSA-j9g7-q9hv-gq8c) : Infinite Loop DoS in stts Sample Duration Lookup (bsc#1265875) o CVE-2026-32740 (GHSA-frfr-f3vg-2g6j) : Heap-Buffer-Overflow Write in Grid Tile Chroma Compositing (bsc#1265876) o CVE-2026-32741 (GHSA-j3w5-7whq-p37q) : heap buffer overflow in decode_mask_image() (bsc#1265877) o CVE-2026-32814 (GHSA-4m8r-34pg-rvwc) : Uninitialized Heap Memory Information Leak via Failed Grid Tiles (bsc#1265878) o CVE-2026-32882 (GHSA-hg7q-rjr2-8x46) : Heap Buffer OOB Read in overlay compositing due to wrong alpha stride (bsc#1265879) o CVE-2026-41069 (GHSA-p82x-fpmv-576r) : Out-of-bounds vector access leading to invalid dereference (bsc#1265979) o CVE-2026-41071 (GHSA-xj92-xjff-h8w3) : Heap buffer over-read in SampleAuxInfoReader via crafted HEIF sequence file with mismatched saiz sample count (bsc#1265980) o CVE-2026-47178 (GHSA-5x55-x5pf-9c6g) : Heap Out Of Bounds Write in unci subsystem (bsc#1265981) o CVE-2026-47247 (GHSA-2vh6-whr3-cmq3) : Heap Information Disclosure via Grid Image Gap + Uninitialized Pixel Plane Allocation (bsc#1265982) o CVE-2026-47251 (GHSA-p6q9-fhf2-vj9v) : Incomplete fix for (bsc#1265983) CVE-2026-3949: integer overflow bypass in vvdec_push_data2 o CVE-2026-47254 (GHSA-wqjg-4x9g-6cvg) : Heap Buffer Overflow in Track::get_next_sample_raw_data() -- OOB Chunk Vector Access (bsc#1265987) o CVE-2026-47709 (GHSA-4h72-vqgp-9376) : NULL pointer dereference in heif_image_handle_get_image_tiling for malformed unci image missing ispe (bsc#1265988) o CVE-2026-47714 (GHSA-h4wm-6wwf-qvhx) : Integer overflow in inline mask size calculation causes undersized buffer allocation (bsc#1265989) o CVE-2026-48029 (GHSA-6x5f-qchq-cxqv) : heap OOB read in ImageItem_Grid::decode_grid_tile via irot-induced tile- coordinate underflow (bsc#1265990) o (GHSA-95jx-g5vf-cpp8) : Integer Overflow in SampleAuxInfoReader Offset Calculation (bsc#1265992) o (GHSA-p4r6-6972-g26m) : Incorrect byte-count initialization in BitstreamRange constructor allows container-boundary check bypass (bsc# 1265995) o (GHSA-jh2w-m72q-q595) : Out-of-bounds read and assertion- based DoS in EXIF parsing (find_exif_tag / read32) with short EXIF TIFF payload (bsc#1265996) o (GHSA-9h96-c44j-jpq9) : Heap buffer overflow via uint32_t stride overflow in image plane allocation (bsc#1265997) o Build / CI o requires C++20 o oss-fuzz integration overhauled o fuzzers for tile API, generic API surface, and per-codec encoders o update to 1.21.2: o build script for JS/WASM now supports building with JPEG2000 and "ISO23001-17 Uncompressed" support. o image sequence SAI data now works when using the OpenH264 decoder plugin o update to 1.21.1: o This patch release only fixes a build error with some GCC versions because of a missing #include. o update to 1.21.0: o This release adds full support for reading and writing HEIF image sequences. libheif will now encode HEIF image sequences with all included codecs. o Since HEIF image sequences are very similar to MP4 videos, this new version is also capable of decoding most MP4 videos (without audio, of course). o heif-enc documentation for sequence encoding o API documentation for reading and writing sequences o Support for image sequences with alpha channels. For most codecs, the alpha channel will be stored in a separate, auxiliary, monochrome track. For ISO/ IEC 23001-17 (uncompressed) streams, the alpha channel is stored in the main video track. o Support for sequence track edit lists to define the number of sequence repetitions (without actually repeating the video data). o New encoder plugin using x264 to write H.264-compressed video streams and images. o The FFmpeg decoder plugin will now decode both H.265 and H.264. o Support for HEIF text items and language properties. o CVEs fixed: CVE-2025-68431 o update to 1.20.2: o When opening tiled images, do not check against maximum image size immediately to allow for tile-based decoding of very large images. o Several smaller fixes in writing image sequences o CMake option to disable building of heif-view, which pulls in dependency on SDL o Fixes reading/writing of GIMI content IDs o Some build fixes o Remove conditionals for openh264, we can build against noopenh264 o update to 1.20.1: o Fixes a bug in decoder plugin loading. o Changes from 1.20.0: o Sequences: o API for reading and writing image sequences. You can read and write sequences for all codecs (not just H.265 / AV1, but also JPEG-2000, ISO-23001-17 uncompressed, ...). Currently only intra-coded sequences are supported. o API for reading and writing metadata sequences. The metadata tracks can contain any raw timed data. o Support for SAI (sample auxiliary information). Timed samples (from image sequences or metadata) can have auxiliary data attached. Currently we support TAI timestamps and GIMI content description IDs. o Support for track references. o The API for sequences is described here: https://github.com/strukturag/ libheif/wiki/Reading-and-Writing-Sequences o New command line tool heif-view to show HEIF sequences (requires libSDL). o Other new features: o You can specify a security limit for the maximum total memory libheif may use for decoding. This is easier to handle than specifying limits on the maximum image size or single memory allocations. o Support for TAI timestamps (in images and sequences) has been promoted from experimental to stable. o FFMPEG plugin now supports HDR decoding o Header files are now split into individual headers by topic. However, it should still be backwards compatible with heif.h being a catch-all covering the old content. For new functionality (sequences, TAI), you will need to include the specific headers. o All struct names of the API are now also typedefs. o add build requires for brotli which it looks for since 1.18 o prepare building heif-view o update to 1.19.8: o Set essential flag for transformative properties as required by MIAF. This fixes the display of AVIF images with transformations encoded by libheif in Chrome, which checks whether this flag is set. This mainly affected images encoded by ImageMagick. o If the environment variable LIBHEIF_SECURITY_LIMITS is set to OFF, libheif will not check any security limits. This can be used if a user works with large images and the application software does not allow to adjust the libheif security limits. o Resolved processing 16-bit JPEG-2000 o update to 1.19.7: o Fixes a build error with SVT-AV1 encoder plugin when using reduced symbol visibility o update to 1.19.6: o C++ and Go wrapper licenses have been changed to MIT o supports SVT-AV1 v3.0.0 encoder o support emscripten builds for ES6 modules o Use correct license (these were changed in 2018) o Ensure Name: is conditionalized for the multibuild flavors to not overwrite the .src.rpm (which is a processed .spec) and to allow OBS to properly distinguish them flavors. Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: o Desktop Applications Module 15-SP7 zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP7-2026-2622=1 o SUSE Package Hub 15 15-SP7 zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP7-2026-2622= 1 Package List: o Desktop Applications Module 15-SP7 (aarch64 ppc64le s390x x86_64) libheif-aom-debuginfo-1.23.0-150700.3.15.1 libheif-debugsource-1.23.0-150700.3.15.1 libheif-jpeg-debuginfo-1.23.0-150700.3.15.1 libheif-dav1d-1.23.0-150700.3.15.1 libheif1-debuginfo-1.23.0-150700.3.15.1 libheif1-1.23.0-150700.3.15.1 libheif-jpeg-1.23.0-150700.3.15.1 libheif-rav1e-1.23.0-150700.3.15.1 libheif-rav1e-debuginfo-1.23.0-150700.3.15.1 libheif-aom-1.23.0-150700.3.15.1 libheif-dav1d-debuginfo-1.23.0-150700.3.15.1 o SUSE Package Hub 15 15-SP7 (aarch64 ppc64le s390x x86_64) gdk-pixbuf-loader-libheif-1.23.0-150700.3.15.1 libheif-debugsource-1.23.0-150700.3.15.1 gdk-pixbuf-loader-libheif-debuginfo-1.23.0-150700.3.15.1 libheif-ffmpeg-debuginfo-1.23.0-150700.3.15.1 libheif-ffmpeg-1.23.0-150700.3.15.1 libheif-devel-1.23.0-150700.3.15.1 References: o https://www.suse.com/security/cve/CVE-2025-68431.html o https://www.suse.com/security/cve/CVE-2026-32738.html o https://www.suse.com/security/cve/CVE-2026-32739.html o https://www.suse.com/security/cve/CVE-2026-32740.html o https://www.suse.com/security/cve/CVE-2026-32741.html o https://www.suse.com/security/cve/CVE-2026-32814.html o https://www.suse.com/security/cve/CVE-2026-32882.html o https://www.suse.com/security/cve/CVE-2026-3949.html o https://www.suse.com/security/cve/CVE-2026-3950.html o https://www.suse.com/security/cve/CVE-2026-41069.html o https://www.suse.com/security/cve/CVE-2026-41071.html o https://www.suse.com/security/cve/CVE-2026-47178.html o https://www.suse.com/security/cve/CVE-2026-47247.html o https://www.suse.com/security/cve/CVE-2026-47251.html o https://www.suse.com/security/cve/CVE-2026-47254.html o https://www.suse.com/security/cve/CVE-2026-47709.html o https://www.suse.com/security/cve/CVE-2026-47714.html o https://www.suse.com/security/cve/CVE-2026-48029.html o https://www.suse.com/security/cve/CVE-2026-49271.html o https://www.suse.com/security/cve/CVE-2026-50142.html o https://bugzilla.suse.com/show_bug.cgi?id=1255735 o https://bugzilla.suse.com/show_bug.cgi?id=1259544 o https://bugzilla.suse.com/show_bug.cgi?id=1265874 o https://bugzilla.suse.com/show_bug.cgi?id=1265875 o https://bugzilla.suse.com/show_bug.cgi?id=1265876 o https://bugzilla.suse.com/show_bug.cgi?id=1265877 o https://bugzilla.suse.com/show_bug.cgi?id=1265878 o https://bugzilla.suse.com/show_bug.cgi?id=1265879 o https://bugzilla.suse.com/show_bug.cgi?id=1265979 o https://bugzilla.suse.com/show_bug.cgi?id=1265980 o https://bugzilla.suse.com/show_bug.cgi?id=1265981 o https://bugzilla.suse.com/show_bug.cgi?id=1265982 o https://bugzilla.suse.com/show_bug.cgi?id=1265983 o https://bugzilla.suse.com/show_bug.cgi?id=1265987 o https://bugzilla.suse.com/show_bug.cgi?id=1265988 o https://bugzilla.suse.com/show_bug.cgi?id=1265989 o https://bugzilla.suse.com/show_bug.cgi?id=1265990 o https://bugzilla.suse.com/show_bug.cgi?id=1265992 o https://bugzilla.suse.com/show_bug.cgi?id=1265995 o https://bugzilla.suse.com/show_bug.cgi?id=1265996 o https://bugzilla.suse.com/show_bug.cgi?id=1265997 o https://bugzilla.suse.com/show_bug.cgi?id=1266281 o https://bugzilla.suse.com/show_bug.cgi?id=1266282 o https://bugzilla.suse.com/show_bug.cgi?id=1267455 - --------------------------END INCLUDED TEXT---------------------- You have received this e-mail bulletin as a result of your organisation's registration with AUSCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AUSCERT's members. As AUSCERT did not write the document quoted above, AUSCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AUSCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://portal.auscert.org.au/bulletins/ =========================================================================== AUSCERT The University of Queensland, Brisbane QLD 4072 Australia e: auscert@auscert.org.au t: +61 (0)7 3365 4417 Allies in Cyber Security ===========================================================================
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| SUSE | libheif |
Timeline
- Jun 24, 2026 CVE Published