On 18 June 2026 Canonical published advisory USN-8454-1, fixing several vulnerabilities in libheif, the library half the Linux desktop relies on to decode HEIF and AVIF images. This is the kind of bug that worries people most about an image viewer: someone hands you a crafted file, you open it, and bad things happen.
What libheif is and why it matters
libheif decodes HEIF (the photo format iPhones produce) and AVIF (increasingly common on the web thanks to its strong compression). You don’t run it by hand. It sits underneath file managers like Nautilus, image viewers, thumbnail generators, and any app that opens photos. When you browse a folder full of images, libheif is already working to build the previews. That’s where the risk lives: the code runs without you doing anything beyond looking.
What goes wrong
The vulnerabilities grouped in this advisory, several of them found by researcher Elhanan Haenel, come from incorrect handling of malformed HEIF and AVIF files. They span a few flavours: infinite loops when processing malformed HEIF sequences that make the library burn through resources, mishandling of files containing mask images, and decoding failures on crafted images. The Ubuntu advisory describes the impact at two levels. In the best case a denial of service, where the application that opened the image hangs or closes. In the worst case the possibility of arbitrary code execution while processing a malicious image.
The gap between those outcomes is large. A denial of service is annoying but recoverable. Code execution lets whoever sent the image run instructions with the permissions of the process that opened it, which is usually your own user session.
Who is affected
USN-8454-1 covers a wide range of Ubuntu releases: 26.04 LTS, 25.10, 24.04 LTS, 22.04 LTS, 20.04 LTS, and 18.04 LTS. The last two get the patch through Ubuntu Pro / ESM, so you need ESM enabled to receive it on those older systems. If you run Ubuntu in any of its desktop flavours, you almost certainly have libheif installed, because the graphical libraries of the desktop pull it in.
How to protect yourself
A standard system update fixes everything. Nothing exotic required:
sudo apt update
sudo apt upgradeThe fixed versions are 1.21.2-3ubuntu0.1 on Ubuntu 26.04, 1.20.2-1ubuntu0.4 on 25.10, and 1.17.6-1ubuntu4.4 on 24.04, with ESM packages for the older branches. After updating, close and reopen any apps you already had running, because the ones in memory keep using the old copy of the library until you restart them. To be safe, log out and back in.
Until you update, plain common sense matters as much as the patch: don’t open HEIF or AVIF images from sources you don’t control, and be wary of shared folders with files of dubious origin, since automatic thumbnail generation can trigger the bug without you clicking anything.
If you want to follow Canonical’s patch cadence, we covered other recent advisories such as USN-8059-1 on the kernel, and there’s an overview of the current release in Ubuntu 26.04 LTS.