Detections
Analytics

SUSE SLED15: gdk-pixbuf-loader-libheif / libheif-aom / libheif-dav1d / etc (SUSE-SU-2026:2622-1)

medium Nessus Plugin ID 323098

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:2622-1 advisory.

 This update for libheif fixes the following issues

 Update to 1.23.0:

 - CVE-2025-68431: heap buffer over-read in `HeifPixelImage: overlay()` via crafted HEIF that exercises the overlay image item (bsc#1255735).
 - CVE-2026-3950: manipulation of the component stsz/stts can lead to out-of-bounds read (bsc#1259544).
 - CVE-2026-32738: Heap OOB Read / SEGV Crash via Zero samples_per_chunk in stsc (bsc#1265874).
 - CVE-2026-32739: Infinite Loop DoS in stts Sample Duration Lookup (bsc#1265875).
 - CVE-2026-32740: Heap-Buffer-Overflow Write in Grid Tile Chroma Compositing (bsc#1265876).
 - CVE-2026-32741: heap buffer overflow in decode_mask_image() (bsc#1265877).
 - CVE-2026-32814: Uninitialized Heap Memory Information Leak via Failed Grid Tiles (bsc#1265878).
 - CVE-2026-32882: Heap Buffer OOB Read in overlay compositing due to wrong alpha stride (bsc#1265879).
 - CVE-2026-41069: Out-of-bounds vector access leading to invalid dereference (bsc#1265979).
 - CVE-2026-41071: Heap buffer over-read in SampleAuxInfoReader via crafted HEIF sequence file with mismatched saiz sample count (bsc#1265980).
 - CVE-2026-47178: Heap Out Of Bounds Write in unci subsystem (bsc#1265981).
 - CVE-2026-47247: Heap Information Disclosure via Grid Image Gap + Uninitialized Pixel Plane Allocation (bsc#1265982).
 - CVE-2026-47251: integer overflow bypass in vvdec_push_data2 (bsc#1265983).
 - CVE-2026-47254: Heap Buffer Overflow in `Track: get_next_sample_raw_data()` -- OOB Chunk Vector Access (bsc#1265987).
 - CVE-2026-47709: NULL pointer dereference in heif_image_handle_get_image_tiling for malformed unci image missing ispe (bsc#1265988).
 - CVE-2026-47714: Integer overflow in inline mask size calculation causes undersized buffer allocation (bsc#1265989).
 - CVE-2026-48029: heap OOB read in ImageItem_Grid: decode_grid_tile via irot-induced tile-coordinate underflow (bsc#1265990).
 - CVE-2026-49271: Wrapped icef compressed-unit range check causes out-of-bounds read in uncompressed HEIF decoder (bsc#1266282).
 - CVE-2026-50142: unbounded heap allocation in HEIF sequence parser (bsc#1267455).
 - Heap buffer overflow via uint32_t stride overflow in image plane allocation (+ 2 additional instances) (bsc#1265997).
 - Incorrect byte-count initialization in BitstreamRange constructor allows container-boundary check bypass (bsc#1265995).
 - Integer Overflow in SampleAuxInfoReader Offset Calculation (bsc#1265992).
 - Out-of-bounds read and assertion-based DoS in EXIF parsing (find_exif_tag / read32) with short EXIF TIFF payload (bsc#1265996).
 - Out-of-bounds write in inline mask region API when source mask exceeds declared region (bsc#1266281).

 Changes for libheif:

 - version update to 1.23.0:
 * add API functions to read and write metadata:
 ambient viewing environment nominal diffuse white luminance
 * adds a output_image_nclx_profile_passthrough option to heif_decoding_options
 * CVE-2026-50142 (GHSA-jvmp-j3cw-84mh) - unbounded heap allocation in HEIF sequence parser (stsz fixed-size mode missing bound check)
 - version update to 1.22.2:
 * build issues with OpenJPEG plugin (#1813)
 * non-plain C in header (#1812)
 * CVE-2026-49271 (GHSA-r7qj-cg5r-r6vf) - Wrapped icef compressed-unit range check causes out-of-bounds read in uncompressed HEIF decoder
 * CVE TBD (GHSA-5hqq-636x-r3cr) - Out-of-bounds write in inline mask region API when source mask exceeds declared region
 - update to 1.22.0:
 * This is a large release with substantial new functionality, mainly focusing on generalized image formats (e.g., multi- spectral images) and a reworked implementation of ISO/IEC 23001-17 (lossless image codec).
 * HDR up to 64 bpp
 * Multi-component images with arbitrary component layouts (multi-spectral images, arbitrary non-visual data)
 * Filter-array (Bayer / mosaic) images, with debayering in color transformation pipeline
 * Metadata: chroma-sample location (cloc), sample non- uniformity (snuc), sensor bad-pixel map (sbpm), polarization pattern (splz)
 * heif-dec can now convert to WebP (thanks to @torusrxxx).
 * heif-enc can now accept input from WebP, HEIF, pure raw files (including floating point pixel data), and CMYK JPEG (converted to RGB).
 * TIFF input can now read many TIFF formats used in geospatial imaging, like: 16-bit, signed integers, float samples, tiled TIFFs, GeoTIFF overview images, CMYK JPEG, YCbCr-as-JPEG.
 TIFFs with image tiling and multi-resolution layers are now reproduced as HEIFs when converted.
 * PNG decoder/encoder: cICP, cLLI, and mDCV chunk support (#1697).
 * heif-dec: auto-correct option to fix known input errors (e.g.
 mismatched NCLX/VUI).
 * Image, Track, Sequence samples, image component GIMI content IDs
 * Embedding of Turtle (.ttl) metadata files; automatic parsing of GIMI content IDs from Turtle
 * AOM encoder plugin now auto-selects IQ tune mode
 * mini-box syntax updated to the current HEIF version 4 draft (thanks @bradh for the initial implementation)
 * unif brand (globally-unique-ID) support
 * OMAF (omnidirectional images): indicate ISO/IEC 23000-22 spherical/omnidirectional image projection
 * alpha bit-depth tracked through the color-conversion pipeline
 * CVE-2026-32738 (GHSA-7f2h-cmpf-v9ww) : Heap OOB Read / SEGV Crash via Zero samples_per_chunk in stsc (bsc#1265874)
 * CVE-2026-32739 (GHSA-j9g7-q9hv-gq8c) : Infinite Loop DoS in stts Sample Duration Lookup (bsc#1265875)
 * CVE-2026-32740 (GHSA-frfr-f3vg-2g6j) : Heap-Buffer-Overflow Write in Grid Tile Chroma Compositing (bsc#1265876)
 * CVE-2026-32741 (GHSA-j3w5-7whq-p37q) : heap buffer overflow in decode_mask_image() (bsc#1265877)
 * CVE-2026-32814 (GHSA-4m8r-34pg-rvwc) : Uninitialized Heap Memory Information Leak via Failed Grid Tiles (bsc#1265878)
 * CVE-2026-32882 (GHSA-hg7q-rjr2-8x46) : Heap Buffer OOB Read in overlay compositing due to wrong alpha stride (bsc#1265879)
 * CVE-2026-41069 (GHSA-p82x-fpmv-576r) : Out-of-bounds vector access leading to invalid dereference (bsc#1265979)
 * CVE-2026-41071 (GHSA-xj92-xjff-h8w3) : Heap buffer over-read in SampleAuxInfoReader via crafted HEIF sequence file with mismatched saiz sample count (bsc#1265980)
 * CVE-2026-47178 (GHSA-5x55-x5pf-9c6g) : Heap Out Of Bounds Write in unci subsystem (bsc#1265981)
 * CVE-2026-47247 (GHSA-2vh6-whr3-cmq3) : Heap Information Disclosure via Grid Image Gap + Uninitialized Pixel Plane Allocation (bsc#1265982)
 * CVE-2026-47251 (GHSA-p6q9-fhf2-vj9v) : Incomplete fix for (bsc#1265983) CVE-2026-3949: integer overflow bypass in vvdec_push_data2
 * CVE-2026-47254 (GHSA-wqjg-4x9g-6cvg) : Heap Buffer Overflow in `Track::get_next_sample_raw_data()` -- OOB Chunk Vector Access (bsc#1265987)
 * CVE-2026-47709 (GHSA-4h72-vqgp-9376) : NULL pointer dereference in heif_image_handle_get_image_tiling for malformed unci image missing ispe (bsc#1265988)
 * CVE-2026-47714 (GHSA-h4wm-6wwf-qvhx) : Integer overflow in inline mask size calculation causes undersized buffer allocation (bsc#1265989)
 * CVE-2026-48029 (GHSA-6x5f-qchq-cxqv) : heap OOB read in ImageItem_Grid::decode_grid_tile via irot-induced tile- coordinate underflow (bsc#1265990)
 * (GHSA-95jx-g5vf-cpp8) : Integer Overflow in SampleAuxInfoReader Offset Calculation (bsc#1265992)
 * (GHSA-p4r6-6972-g26m) : Incorrect byte-count initialization in BitstreamRange constructor allows container-boundary check bypass (bsc#1265995)
 * (GHSA-jh2w-m72q-q595) : Out-of-bounds read and assertion- based DoS in EXIF parsing (find_exif_tag / read32) with short EXIF TIFF payload (bsc#1265996)
 * (GHSA-9h96-c44j-jpq9) : Heap buffer overflow via uint32_t stride overflow in image plane allocation (bsc#1265997)
 * ## Build / CI
 * requires C++20
 * oss-fuzz integration overhauled
 * fuzzers for tile API, generic API surface, and per-codec encoders
 - update to 1.21.2:
 * build script for JS/WASM now supports building with JPEG2000 and 'ISO23001-17 Uncompressed' support.
 * image sequence SAI data now works when using the OpenH264 decoder plugin
 - update to 1.21.1:
 * This patch release only fixes a build error with some GCC versions because of a missing #include.
 - update to 1.21.0:
 * This release adds full support for reading and writing HEIF image sequences. libheif will now encode HEIF image sequences with all included codecs.
 * Since HEIF image sequences are very similar to MP4 videos, this new version is also capable of decoding most MP4 videos (without audio, of course).
 * heif-enc documentation for sequence encoding
 * API documentation for reading and writing sequences
 * Support for image sequences with alpha channels. For most codecs, the alpha channel will be stored in a separate, auxiliary, monochrome track. For ISO/IEC 23001-17 (uncompressed) streams, the alpha channel is stored in the main video track.
 * Support for sequence track edit lists to define the number of sequence repetitions (without actually repeating the video data).
 * New encoder plugin using x264 to write H.264-compressed video streams and images.
 * The FFmpeg decoder plugin will now decode both H.265 and H.264.
 * Support for HEIF text items and language properties.
 * CVEs fixed: CVE-2025-68431
 - update to 1.20.2:
 - When opening tiled images, do not check against maximum image size immediately to allow for tile-based decoding of very large images.
 - Several smaller fixes in writing image sequences
 - CMake option to disable building of heif-view, which pulls in dependency on SDL
 - Fixes reading/writing of GIMI content IDs
 - Some build fixes
 - Remove conditionals for openh264, we can build against noopenh264
 - update to 1.20.1:
 - Fixes a bug in decoder plugin loading.
 - Changes from 1.20.0:
 - Sequences:
 - API for reading and writing image sequences. You can read and write sequences for all codecs (not just H.265 / AV1, but also JPEG-2000, ISO-23001-17 uncompressed, ...). Currently only intra-coded sequences are supported.
 - API for reading and writing metadata sequences. The metadata tracks can contain any raw timed data.
 - Support for SAI (sample auxiliary information). Timed samples (from image sequences or metadata) can have auxiliary data attached. Currently we support TAI timestamps and GIMI content description IDs.
 - Support for track references.
 - The API for sequences is described here:
 https://github.com/strukturag/libheif/wiki/Reading-and-Writing-Sequences
 - New command line tool heif-view to show HEIF sequences (requires libSDL).
 - Other new features:
 - You can specify a security limit for the maximum total memory libheif may use for decoding. This is easier to handle than specifying limits on the maximum image size or single memory allocations.
 - Support for TAI timestamps (in images and sequences) has been promoted from experimental to stable.
 - FFMPEG plugin now supports HDR decoding
 - Header files are now split into individual headers by topic.
 However, it should still be backwards compatible with heif.h being a catch-all covering the old content. For new functionality (sequences, TAI), you will need to include the specific headers.
 - All struct names of the API are now also typedefs.
 - add build requires for brotli which it looks for since 1.18
 - prepare building heif-view
 - update to 1.19.8:
 * Set essential flag for transformative properties as required by MIAF. This fixes the display of AVIF images with transformations encoded by libheif in Chrome, which checks whether this flag is set. This mainly affected images encoded by ImageMagick.
 * If the environment variable LIBHEIF_SECURITY_LIMITS is set to OFF, libheif will not check any security limits. This can be used if a user works with large images and the application software does not allow to adjust the libheif security limits.
 * Resolved processing 16-bit JPEG-2000
 - update to 1.19.7:
 * Fixes a build error with SVT-AV1 encoder plugin when using reduced symbol visibility
 - update to 1.19.6:
 * C++ and Go wrapper licenses have been changed to MIT
 * supports SVT-AV1 v3.0.0 encoder
 * support emscripten builds for ES6 modules
 - Use correct license (these were changed in 2018)
 - Ensure Name: is conditionalized for the multibuild flavors to not overwrite the .src.rpm (which is a processed .spec) and to allow OBS to properly distinguish them flavors.

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://bugzilla.suse.com/1255735

https://bugzilla.suse.com/1259544

https://bugzilla.suse.com/1265874

https://bugzilla.suse.com/1265875

https://bugzilla.suse.com/1265876

https://bugzilla.suse.com/1265877

https://bugzilla.suse.com/1265878

https://bugzilla.suse.com/1265879

https://bugzilla.suse.com/1265979

https://bugzilla.suse.com/1265980

https://bugzilla.suse.com/1265981

https://bugzilla.suse.com/1265982

https://bugzilla.suse.com/1265983

https://bugzilla.suse.com/1265987

https://bugzilla.suse.com/1265988

https://bugzilla.suse.com/1265989

https://bugzilla.suse.com/1265990

https://bugzilla.suse.com/1265992

https://bugzilla.suse.com/1265995

https://bugzilla.suse.com/1265996

https://bugzilla.suse.com/1265997

https://bugzilla.suse.com/1266281

https://bugzilla.suse.com/1266282

https://bugzilla.suse.com/1267455

https://lists.suse.com/pipermail/sle-updates/2026-June/047600.html

https://www.suse.com/security/cve/CVE-2025-68431

https://www.suse.com/security/cve/CVE-2026-32738

https://www.suse.com/security/cve/CVE-2026-32739

https://www.suse.com/security/cve/CVE-2026-32740

https://www.suse.com/security/cve/CVE-2026-32741

https://www.suse.com/security/cve/CVE-2026-32814

https://www.suse.com/security/cve/CVE-2026-32882

https://www.suse.com/security/cve/CVE-2026-3949

https://www.suse.com/security/cve/CVE-2026-3950

https://www.suse.com/security/cve/CVE-2026-41069

https://www.suse.com/security/cve/CVE-2026-41071

https://www.suse.com/security/cve/CVE-2026-47178

https://www.suse.com/security/cve/CVE-2026-47247

https://www.suse.com/security/cve/CVE-2026-47251

https://www.suse.com/security/cve/CVE-2026-47254

https://www.suse.com/security/cve/CVE-2026-47709

https://www.suse.com/security/cve/CVE-2026-47714

https://www.suse.com/security/cve/CVE-2026-48029

https://www.suse.com/security/cve/CVE-2026-49271

https://www.suse.com/security/cve/CVE-2026-50142

Plugin Details

Severity: Medium

ID: 323098

File Name: suse_SU-2026-2622-1.nasl

Version: 1.1

Type: Local

Agent: unix

Published: 6/26/2026

Updated: 6/26/2026

Supported Sensors: Nessus Agent, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Low

Base Score: 1.7

Temporal Score: 1.3

Vector: CVSS2#AV:L/AC:L/Au:S/C:N/I:N/A:P

CVSS Score Source: CVE-2026-3950

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2026-41071

CVSS v4

Risk Factor: Medium

Base Score: 5.1

Threat Score: 2

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N

CVSS Score Source: CVE-2026-41071

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:libheif-aom, p-cpe:/a:novell:suse_linux:gdk-pixbuf-loader-libheif, p-cpe:/a:novell:suse_linux:libheif-rav1e, p-cpe:/a:novell:suse_linux:libheif-jpeg, p-cpe:/a:novell:suse_linux:libheif-devel, cpe:/o:novell:suse_linux:15, p-cpe:/a:novell:suse_linux:libheif-ffmpeg, p-cpe:/a:novell:suse_linux:libheif-dav1d, p-cpe:/a:novell:suse_linux:libheif1

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/24/2026

Vulnerability Publication Date: 12/29/2025

Reference Information

CVE: CVE-2025-68431, CVE-2026-32738, CVE-2026-32739, CVE-2026-32740, CVE-2026-32741, CVE-2026-32814, CVE-2026-32882, CVE-2026-3949, CVE-2026-3950, CVE-2026-41069, CVE-2026-41071, CVE-2026-47178, CVE-2026-47247, CVE-2026-47251, CVE-2026-47254, CVE-2026-47709, CVE-2026-47714, CVE-2026-48029, CVE-2026-49271, CVE-2026-50142

IAVB: 2026-B-0010-S, 2026-B-0158

SuSE: SUSE-SU-2026:2622-1