SUSE-SU-2026:2622-1: important: Security update for libheif
SLE-UPDATES
null at suse.de
Wed Jun 24 16:30:58 UTC 2026
# Security update for libheif
Announcement ID: SUSE-SU-2026:2622-1
Release Date: 2026-06-24T11:55:37Z
Rating: important
References:
* bsc#1255735
* bsc#1259544
* bsc#1265874
* bsc#1265875
* bsc#1265876
* bsc#1265877
* bsc#1265878
* bsc#1265879
* bsc#1265979
* bsc#1265980
* bsc#1265981
* bsc#1265982
* bsc#1265983
* bsc#1265987
* bsc#1265988
* bsc#1265989
* bsc#1265990
* bsc#1265992
* bsc#1265995
* bsc#1265996
* bsc#1265997
* bsc#1266281
* bsc#1266282
* bsc#1267455
Cross-References:
* CVE-2025-68431
* CVE-2026-32738
* CVE-2026-32739
* CVE-2026-32740
* CVE-2026-32741
* CVE-2026-32814
* CVE-2026-32882
* CVE-2026-3949
* CVE-2026-3950
* CVE-2026-41069
* CVE-2026-41071
* CVE-2026-47178
* CVE-2026-47247
* CVE-2026-47251
* CVE-2026-47254
* CVE-2026-47709
* CVE-2026-47714
* CVE-2026-48029
* CVE-2026-49271
* CVE-2026-50142
CVSS scores:
* CVE-2025-68431 ( SUSE ): 6.8
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2025-68431 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2025-68431 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2025-68431 ( NVD ): 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
* CVE-2026-32738 ( SUSE ): 6.0
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-32738 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2026-32738 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2026-32738 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2026-32739 ( SUSE ): 5.7
CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-32739 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2026-32739 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2026-32740 ( SUSE ): 8.5
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2026-32740 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-32740 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-32741 ( SUSE ): 6.9
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N
* CVE-2026-32741 ( SUSE ): 6.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
* CVE-2026-32741 ( NVD ): 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
* CVE-2026-32814 ( SUSE ): 5.7
CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
* CVE-2026-32814 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
* CVE-2026-32814 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
* CVE-2026-32882 ( SUSE ): 7.0
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-32882 ( SUSE ): 6.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
* CVE-2026-32882 ( NVD ): 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
* CVE-2026-3949 ( SUSE ): 4.8
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2026-3949 ( SUSE ): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
* CVE-2026-3949 ( NVD ): 1.9
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2026-3949 ( NVD ): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
* CVE-2026-3950 ( SUSE ): 4.8
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2026-3950 ( SUSE ): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
* CVE-2026-3950 ( NVD ): 1.9
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2026-3950 ( NVD ): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
* CVE-2026-41069 ( SUSE ): 6.9
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-41069 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2026-41069 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2026-41071 ( SUSE ): 7.0
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-41071 ( SUSE ): 6.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
* CVE-2026-41071 ( NVD ): 5.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2026-41071 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
* CVE-2026-47178 ( SUSE ): 8.6
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2026-47178 ( SUSE ): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-47247 ( SUSE ): 6.9
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
* CVE-2026-47247 ( SUSE ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2026-47251 ( SUSE ): 6.8
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-47251 ( SUSE ): 6.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
* CVE-2026-47254 ( SUSE ): 7.0
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-47254 ( SUSE ): 6.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
* CVE-2026-47709 ( SUSE ): 6.9
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-47709 ( SUSE ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-47714 ( SUSE ): 7.0
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-47714 ( SUSE ): 6.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
* CVE-2026-48029 ( SUSE ): 7.0
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-48029 ( SUSE ): 6.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
* CVE-2026-49271 ( SUSE ): 6.7
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-49271 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2026-49271 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2026-50142 ( SUSE ): 6.9
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-50142 ( SUSE ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:
* Desktop Applications Module 15-SP7
* SUSE Linux Enterprise Desktop 15 SP7
* SUSE Linux Enterprise Real Time 15 SP7
* SUSE Linux Enterprise Server 15 SP7
* SUSE Linux Enterprise Server for SAP Applications 15 SP7
* SUSE Package Hub 15 15-SP7
An update that solves 20 vulnerabilities and has four security fixes can now be
installed.
## Description:
This update for libheif fixes the following issues
Update to 1.23.0:
* CVE-2025-68431: heap buffer over-read in `HeifPixelImage: overlay()` via
crafted HEIF that exercises the overlay image item (bsc#1255735).
* CVE-2026-3950: manipulation of the component stsz/stts can lead to out-of-
bounds read (bsc#1259544).
* CVE-2026-32738: Heap OOB Read / SEGV Crash via Zero samples_per_chunk in
stsc (bsc#1265874).
* CVE-2026-32739: Infinite Loop DoS in stts Sample Duration Lookup
(bsc#1265875).
* CVE-2026-32740: Heap-Buffer-Overflow Write in Grid Tile Chroma Compositing
(bsc#1265876).
* CVE-2026-32741: heap buffer overflow in decode_mask_image() (bsc#1265877).
* CVE-2026-32814: Uninitialized Heap Memory Information Leak via Failed Grid
Tiles (bsc#1265878).
* CVE-2026-32882: Heap Buffer OOB Read in overlay compositing due to wrong
alpha stride (bsc#1265879).
* CVE-2026-41069: Out-of-bounds vector access leading to invalid dereference
(bsc#1265979).
* CVE-2026-41071: Heap buffer over-read in SampleAuxInfoReader via crafted
HEIF sequence file with mismatched saiz sample count (bsc#1265980).
* CVE-2026-47178: Heap Out Of Bounds Write in unci subsystem (bsc#1265981).
* CVE-2026-47247: Heap Information Disclosure via Grid Image Gap +
Uninitialized Pixel Plane Allocation (bsc#1265982).
* CVE-2026-47251: integer overflow bypass in vvdec_push_data2 (bsc#1265983).
* CVE-2026-47254: Heap Buffer Overflow in `Track: get_next_sample_raw_data()`
\-- OOB Chunk Vector Access (bsc#1265987).
* CVE-2026-47709: NULL pointer dereference in
heif_image_handle_get_image_tiling for malformed unci image missing ispe
(bsc#1265988).
* CVE-2026-47714: Integer overflow in inline mask size calculation causes
undersized buffer allocation (bsc#1265989).
* CVE-2026-48029: heap OOB read in ImageItem_Grid: decode_grid_tile via irot-
induced tile-coordinate underflow (bsc#1265990).
* CVE-2026-49271: Wrapped icef compressed-unit range check causes out-of-
bounds read in uncompressed HEIF decoder (bsc#1266282).
* CVE-2026-50142: unbounded heap allocation in HEIF sequence parser
(bsc#1267455).
* Heap buffer overflow via uint32_t stride overflow in image plane allocation
(+ 2 additional instances) (bsc#1265997).
* Incorrect byte-count initialization in BitstreamRange constructor allows
container-boundary check bypass (bsc#1265995).
* Integer Overflow in SampleAuxInfoReader Offset Calculation (bsc#1265992).
* Out-of-bounds read and assertion-based DoS in EXIF parsing (find_exif_tag /
read32) with short EXIF TIFF payload (bsc#1265996).
* Out-of-bounds write in inline mask region API when source mask exceeds
declared region (bsc#1266281).
Changes for libheif:
* version update to 1.23.0:
* add API functions to read and write metadata: ambient viewing environment
nominal diffuse white luminance
* adds a output_image_nclx_profile_passthrough option to heif_decoding_options
* CVE-2026-50142 (GHSA-jvmp-j3cw-84mh) - unbounded heap allocation in HEIF
sequence parser (stsz fixed-size mode missing bound check)
* version update to 1.22.2:
* build issues with OpenJPEG plugin (#1813)
* non-plain C in header (#1812)
* CVE-2026-49271 (GHSA-r7qj-cg5r-r6vf) - Wrapped icef compressed-unit range
check causes out-of-bounds read in uncompressed HEIF decoder
* CVE TBD (GHSA-5hqq-636x-r3cr) - Out-of-bounds write in inline mask region
API when source mask exceeds declared region
* update to 1.22.0:
* This is a large release with substantial new functionality, mainly focusing
on generalized image formats (e.g., multi- spectral images) and a reworked
implementation of ISO/IEC 23001-17 (lossless image codec).
* HDR up to 64 bpp
* Multi-component images with arbitrary component layouts (multi-spectral
images, arbitrary non-visual data)
* Filter-array (Bayer / mosaic) images, with debayering in color
transformation pipeline
* Metadata: chroma-sample location (cloc), sample non- uniformity (snuc),
sensor bad-pixel map (sbpm), polarization pattern (splz)
* heif-dec can now convert to WebP (thanks to @torusrxxx).
* heif-enc can now accept input from WebP, HEIF, pure raw files (including
floating point pixel data), and CMYK JPEG (converted to RGB).
* TIFF input can now read many TIFF formats used in geospatial imaging, like:
16-bit, signed integers, float samples, tiled TIFFs, GeoTIFF overview
images, CMYK JPEG, YCbCr-as-JPEG. TIFFs with image tiling and multi-
resolution layers are now reproduced as HEIFs when converted.
* PNG decoder/encoder: cICP, cLLI, and mDCV chunk support (#1697).
* heif-dec: auto-correct option to fix known input errors (e.g. mismatched
NCLX/VUI).
* Image, Track, Sequence samples, image component GIMI content IDs
* Embedding of Turtle (.ttl) metadata files; automatic parsing of GIMI content
IDs from Turtle
* AOM encoder plugin now auto-selects IQ tune mode
* mini-box syntax updated to the current HEIF version 4 draft (thanks @bradh
for the initial implementation)
* unif brand (globally-unique-ID) support
* OMAF (omnidirectional images): indicate ISO/IEC 23000-22
spherical/omnidirectional image projection
* alpha bit-depth tracked through the color-conversion pipeline
* CVE-2026-32738 (GHSA-7f2h-cmpf-v9ww) : Heap OOB Read / SEGV Crash via Zero
samples_per_chunk in stsc (bsc#1265874)
* CVE-2026-32739 (GHSA-j9g7-q9hv-gq8c) : Infinite Loop DoS in stts Sample
Duration Lookup (bsc#1265875)
* CVE-2026-32740 (GHSA-frfr-f3vg-2g6j) : Heap-Buffer-Overflow Write in Grid
Tile Chroma Compositing (bsc#1265876)
* CVE-2026-32741 (GHSA-j3w5-7whq-p37q) : heap buffer overflow in
decode_mask_image() (bsc#1265877)
* CVE-2026-32814 (GHSA-4m8r-34pg-rvwc) : Uninitialized Heap Memory Information
Leak via Failed Grid Tiles (bsc#1265878)
* CVE-2026-32882 (GHSA-hg7q-rjr2-8x46) : Heap Buffer OOB Read in overlay
compositing due to wrong alpha stride (bsc#1265879)
* CVE-2026-41069 (GHSA-p82x-fpmv-576r) : Out-of-bounds vector access leading
to invalid dereference (bsc#1265979)
* CVE-2026-41071 (GHSA-xj92-xjff-h8w3) : Heap buffer over-read in
SampleAuxInfoReader via crafted HEIF sequence file with mismatched saiz
sample count (bsc#1265980)
* CVE-2026-47178 (GHSA-5x55-x5pf-9c6g) : Heap Out Of Bounds Write in unci
subsystem (bsc#1265981)
* CVE-2026-47247 (GHSA-2vh6-whr3-cmq3) : Heap Information Disclosure via Grid
Image Gap + Uninitialized Pixel Plane Allocation (bsc#1265982)
* CVE-2026-47251 (GHSA-p6q9-fhf2-vj9v) : Incomplete fix for (bsc#1265983)
CVE-2026-3949: integer overflow bypass in vvdec_push_data2
* CVE-2026-47254 (GHSA-wqjg-4x9g-6cvg) : Heap Buffer Overflow in
`Track::get_next_sample_raw_data()` \-- OOB Chunk Vector Access
(bsc#1265987)
* CVE-2026-47709 (GHSA-4h72-vqgp-9376) : NULL pointer dereference in
heif_image_handle_get_image_tiling for malformed unci image missing ispe
(bsc#1265988)
* CVE-2026-47714 (GHSA-h4wm-6wwf-qvhx) : Integer overflow in inline mask size
calculation causes undersized buffer allocation (bsc#1265989)
* CVE-2026-48029 (GHSA-6x5f-qchq-cxqv) : heap OOB read in
ImageItem_Grid::decode_grid_tile via irot-induced tile- coordinate underflow
(bsc#1265990)
* (GHSA-95jx-g5vf-cpp8) : Integer Overflow in SampleAuxInfoReader Offset
Calculation (bsc#1265992)
* (GHSA-p4r6-6972-g26m) : Incorrect byte-count initialization in
BitstreamRange constructor allows container-boundary check bypass
(bsc#1265995)
* (GHSA-jh2w-m72q-q595) : Out-of-bounds read and assertion- based DoS in EXIF
parsing (find_exif_tag / read32) with short EXIF TIFF payload (bsc#1265996)
* (GHSA-9h96-c44j-jpq9) : Heap buffer overflow via uint32_t stride overflow in
image plane allocation (bsc#1265997)
* ## Build / CI
* requires C++20
* oss-fuzz integration overhauled
* fuzzers for tile API, generic API surface, and per-codec encoders
* update to 1.21.2:
* build script for JS/WASM now supports building with JPEG2000 and
"ISO23001-17 Uncompressed" support.
* image sequence SAI data now works when using the OpenH264 decoder plugin
* update to 1.21.1:
* This patch release only fixes a build error with some GCC versions because
of a missing #include.
* update to 1.21.0:
* This release adds full support for reading and writing HEIF image sequences.
libheif will now encode HEIF image sequences with all included codecs.
* Since HEIF image sequences are very similar to MP4 videos, this new version
is also capable of decoding most MP4 videos (without audio, of course).
* heif-enc documentation for sequence encoding
* API documentation for reading and writing sequences
* Support for image sequences with alpha channels. For most codecs, the alpha
channel will be stored in a separate, auxiliary, monochrome track. For
ISO/IEC 23001-17 (uncompressed) streams, the alpha channel is stored in the
main video track.
* Support for sequence track edit lists to define the number of sequence
repetitions (without actually repeating the video data).
* New encoder plugin using x264 to write H.264-compressed video streams and
images.
* The FFmpeg decoder plugin will now decode both H.265 and H.264.
* Support for HEIF text items and language properties.
* CVEs fixed: CVE-2025-68431
* update to 1.20.2:
* When opening tiled images, do not check against maximum image size
immediately to allow for tile-based decoding of very large images.
* Several smaller fixes in writing image sequences
* CMake option to disable building of heif-view, which pulls in dependency on
SDL
* Fixes reading/writing of GIMI content IDs
* Some build fixes
* Remove conditionals for openh264, we can build against noopenh264
* update to 1.20.1:
* Fixes a bug in decoder plugin loading.
* Changes from 1.20.0:
* Sequences:
* API for reading and writing image sequences. You can read and write
sequences for all codecs (not just H.265 / AV1, but also JPEG-2000,
ISO-23001-17 uncompressed, ...). Currently only intra-coded sequences are
supported.
* API for reading and writing metadata sequences. The metadata tracks can
contain any raw timed data.
* Support for SAI (sample auxiliary information). Timed samples (from image
sequences or metadata) can have auxiliary data attached. Currently we
support TAI timestamps and GIMI content description IDs.
* Support for track references.
* The API for sequences is described here:
https://github.com/strukturag/libheif/wiki/Reading-and-Writing-Sequences
* New command line tool heif-view to show HEIF sequences (requires libSDL).
* Other new features:
* You can specify a security limit for the maximum total memory libheif may
use for decoding. This is easier to handle than specifying limits on the
maximum image size or single memory allocations.
* Support for TAI timestamps (in images and sequences) has been promoted from
experimental to stable.
* FFMPEG plugin now supports HDR decoding
* Header files are now split into individual headers by topic. However, it
should still be backwards compatible with heif.h being a catch-all covering
the old content. For new functionality (sequences, TAI), you will need to
include the specific headers.
* All struct names of the API are now also typedefs.
* add build requires for brotli which it looks for since 1.18
* prepare building heif-view
* update to 1.19.8:
* Set essential flag for transformative properties as required by MIAF. This
fixes the display of AVIF images with transformations encoded by libheif in
Chrome, which checks whether this flag is set. This mainly affected images
encoded by ImageMagick.
* If the environment variable LIBHEIF_SECURITY_LIMITS is set to OFF, libheif
will not check any security limits. This can be used if a user works with
large images and the application software does not allow to adjust the
libheif security limits.
* Resolved processing 16-bit JPEG-2000
* update to 1.19.7:
* Fixes a build error with SVT-AV1 encoder plugin when using reduced symbol
visibility
* update to 1.19.6:
* C++ and Go wrapper licenses have been changed to MIT
* supports SVT-AV1 v3.0.0 encoder
* support emscripten builds for ES6 modules
* Use correct license (these were changed in 2018)
* Ensure Name: is conditionalized for the multibuild flavors to not overwrite
the .src.rpm (which is a processed .spec) and to allow OBS to properly
distinguish them flavors.
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* Desktop Applications Module 15-SP7
zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP7-2026-2622=1
* SUSE Package Hub 15 15-SP7
zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP7-2026-2622=1
## Package List:
* Desktop Applications Module 15-SP7 (aarch64 ppc64le s390x x86_64)
* libheif-aom-debuginfo-1.23.0-150700.3.15.1
* libheif-debugsource-1.23.0-150700.3.15.1
* libheif-jpeg-debuginfo-1.23.0-150700.3.15.1
* libheif-dav1d-1.23.0-150700.3.15.1
* libheif1-debuginfo-1.23.0-150700.3.15.1
* libheif1-1.23.0-150700.3.15.1
* libheif-jpeg-1.23.0-150700.3.15.1
* libheif-rav1e-1.23.0-150700.3.15.1
* libheif-rav1e-debuginfo-1.23.0-150700.3.15.1
* libheif-aom-1.23.0-150700.3.15.1
* libheif-dav1d-debuginfo-1.23.0-150700.3.15.1
* SUSE Package Hub 15 15-SP7 (aarch64 ppc64le s390x x86_64)
* gdk-pixbuf-loader-libheif-1.23.0-150700.3.15.1
* libheif-debugsource-1.23.0-150700.3.15.1
* gdk-pixbuf-loader-libheif-debuginfo-1.23.0-150700.3.15.1
* libheif-ffmpeg-debuginfo-1.23.0-150700.3.15.1
* libheif-ffmpeg-1.23.0-150700.3.15.1
* libheif-devel-1.23.0-150700.3.15.1
## References:
* https://www.suse.com/security/cve/CVE-2025-68431.html
* https://www.suse.com/security/cve/CVE-2026-32738.html
* https://www.suse.com/security/cve/CVE-2026-32739.html
* https://www.suse.com/security/cve/CVE-2026-32740.html
* https://www.suse.com/security/cve/CVE-2026-32741.html
* https://www.suse.com/security/cve/CVE-2026-32814.html
* https://www.suse.com/security/cve/CVE-2026-32882.html
* https://www.suse.com/security/cve/CVE-2026-3949.html
* https://www.suse.com/security/cve/CVE-2026-3950.html
* https://www.suse.com/security/cve/CVE-2026-41069.html
* https://www.suse.com/security/cve/CVE-2026-41071.html
* https://www.suse.com/security/cve/CVE-2026-47178.html
* https://www.suse.com/security/cve/CVE-2026-47247.html
* https://www.suse.com/security/cve/CVE-2026-47251.html
* https://www.suse.com/security/cve/CVE-2026-47254.html
* https://www.suse.com/security/cve/CVE-2026-47709.html
* https://www.suse.com/security/cve/CVE-2026-47714.html
* https://www.suse.com/security/cve/CVE-2026-48029.html
* https://www.suse.com/security/cve/CVE-2026-49271.html
* https://www.suse.com/security/cve/CVE-2026-50142.html
* https://bugzilla.suse.com/show_bug.cgi?id=1255735
* https://bugzilla.suse.com/show_bug.cgi?id=1259544
* https://bugzilla.suse.com/show_bug.cgi?id=1265874
* https://bugzilla.suse.com/show_bug.cgi?id=1265875
* https://bugzilla.suse.com/show_bug.cgi?id=1265876
* https://bugzilla.suse.com/show_bug.cgi?id=1265877
* https://bugzilla.suse.com/show_bug.cgi?id=1265878
* https://bugzilla.suse.com/show_bug.cgi?id=1265879
* https://bugzilla.suse.com/show_bug.cgi?id=1265979
* https://bugzilla.suse.com/show_bug.cgi?id=1265980
* https://bugzilla.suse.com/show_bug.cgi?id=1265981
* https://bugzilla.suse.com/show_bug.cgi?id=1265982
* https://bugzilla.suse.com/show_bug.cgi?id=1265983
* https://bugzilla.suse.com/show_bug.cgi?id=1265987
* https://bugzilla.suse.com/show_bug.cgi?id=1265988
* https://bugzilla.suse.com/show_bug.cgi?id=1265989
* https://bugzilla.suse.com/show_bug.cgi?id=1265990
* https://bugzilla.suse.com/show_bug.cgi?id=1265992
* https://bugzilla.suse.com/show_bug.cgi?id=1265995
* https://bugzilla.suse.com/show_bug.cgi?id=1265996
* https://bugzilla.suse.com/show_bug.cgi?id=1265997
* https://bugzilla.suse.com/show_bug.cgi?id=1266281
* https://bugzilla.suse.com/show_bug.cgi?id=1266282
* https://bugzilla.suse.com/show_bug.cgi?id=1267455
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20260624/3240bf77/attachment.htm>
More information about the sle-updates
mailing list