ALAS2023-2026-1919


Amazon Linux 2023 Security Advisory: ALAS2023-2026-1919
Advisory Released Date: 2026-07-07
Advisory Updated Date: 2026-07-07
Severity: Important

Issue Overview:

A critical heap-based buffer overflow vulnerability exists in libheif v1.21.2 (and likely earlier versions) within the handling of uncompressed HEIF images (ISO/IEC 23001-17, unci item type). When processing a tiled image with chroma subsampling (e.g., 4:2:0 or 4:2:2), the library fails to scale spatial offsets for the chroma planes. This leads to out-of-bounds memory writes when decoding any tile other than the top-left one, potentially resulting in remote code execution (RCE). (from https://project-zero.issues.chromium.org/issues/507396184) (CVE-2026-47178)

libheif is a HEIF and AVIF file format decoder and encoder. Prior to version 1.22.1, the uncompressed HEIF decoder validates explicit icef compressed-unit offsets using unit_offset + unit_size. Because the addition can wrap, a crafted HEIF file can pass the range check and then construct a vector from iterators outside the compressed item buffer, producing an out-of-bounds heap read and crash. Version 1.22.1 patches the issue. (CVE-2026-49271)


Affected Packages:

libheif


Issue Correction:
Run dnf update libheif --releasever 2023.12.20260706 or dnf update --advisory ALAS2023-2026-1919 --releasever 2023.12.20260706 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation

New Packages:
aarch64:
    libheif-debuginfo-1.19.8-1.amzn2023.0.6.aarch64
    heif-pixbuf-loader-1.19.8-1.amzn2023.0.6.aarch64
    heif-pixbuf-loader-debuginfo-1.19.8-1.amzn2023.0.6.aarch64
    libheif-devel-1.19.8-1.amzn2023.0.6.aarch64
    libheif-tools-debuginfo-1.19.8-1.amzn2023.0.6.aarch64
    libheif-debugsource-1.19.8-1.amzn2023.0.6.aarch64
    libheif-1.19.8-1.amzn2023.0.6.aarch64
    libheif-tools-1.19.8-1.amzn2023.0.6.aarch64

src:
    libheif-1.19.8-1.amzn2023.0.6.src

x86_64:
    libheif-debuginfo-1.19.8-1.amzn2023.0.6.x86_64
    libheif-tools-debuginfo-1.19.8-1.amzn2023.0.6.x86_64
    libheif-debugsource-1.19.8-1.amzn2023.0.6.x86_64
    heif-pixbuf-loader-debuginfo-1.19.8-1.amzn2023.0.6.x86_64
    libheif-devel-1.19.8-1.amzn2023.0.6.x86_64
    heif-pixbuf-loader-1.19.8-1.amzn2023.0.6.x86_64
    libheif-tools-1.19.8-1.amzn2023.0.6.x86_64
    libheif-1.19.8-1.amzn2023.0.6.x86_64