[BUG] Thumbnails no longer work #1844
Description
Description
This affects all files, images, svg, doc, pdf, mp4, etc.
Everything was working perfectly, but since the update 2-3 days ago (the one that added virtual machines), thumbnails no longer work.
I am running silverblue-nvidia-open-hardened:latest
AMD Ryzen™ 9 9950X3D × 32
NVIDIA GeForce RTX™ 5080
Linux 6.18.5-200.fc43.x86_64
Gnome Wayland 49
I have never installed the SUID-root, Xwayland, or gnome-extension packages.
I followed the post-installation process by enabling kernel arguments (except unstable ones), creating a separate wheel admin account, locking down the bash environment,
I tried to delete the thumbnail cache in
rm -rf ~/.cache/thumbnails/*
then restarted Nautilus
nautilus -q
It doesn't work
The glycin packages are installed correctly with the command I find this:
dnf list --installed | grep -i glycin
glycin-libs.x86_64 2.0.5-1.fc43
glycin-loaders.x86_64 2.0.5-1.fc43
glycin-thumbnailer.x86_64 2.0.5-1.fc43
My system status
rpm-ostree status
State: idle
warning: Failed to query journal: couldn't find current boot in journal
AutomaticUpdates: stage; rpm-ostreed-automatic.timer: no runs since boot
Deployments:
ostree-image-signed:docker://ghcr.io/secureblue/silverblue-nvidia-open-hardened:latest
Digest: sha256:0b7fce4b39adaac58560ccb9e00c9bcc9fd13e02956be1cfd99d70c71d8fe1b7
Version: 43.20260123.0 (2026-01-23T15:12:54Z)
LayeredPackages: proton-vpn-gnome-desktop
I tried launching Nautilus without hardenec_malloc, but the problem persists.
ujust with-standard-malloc nautilus
I even created a second profile to open another session, but the same problem persists here too.
The glycin definition files do exist (are any missing?) in the /usr/share/thumbnailers folder:
ls /usr/share/thumbnailers
ffmpegthumbnailer.thumbnailer
glycin-image-rs.thumbnailer
glycin-svg.thumbnailer
gnome-mobi-thumbnailer.thumbnailer
heif.thumbnailer
glycin-heif.thumbnailer
glycin-jxl.thumbnailer
gnome-epub-thumbnailer.thumbnailer
gsf-office.thumbnailer
papers.thumbnailer
In the Nautilus settings, I also checked that under the “Performance” tab, “Show thumbnails” is set to ‘Always’ or “Local files only.”
I also did an rpm-ostree rollback, but that didn't work either.
I tested it by installing the XnView flatpak via Flathub (official flatpak). To make it work, you need to add the variable QT_QPA_PLATFORM=wayland in Flatseal.
XnView displays thumbnails correctly in the application itself.
Hopeless, I searched for help with Google AI 🤷🏻♂️
It tells me
The problem you are experiencing on secureblue (Fedora 43 / GNOME 49) is a known bug from early 2026 related to the transition to the Glycin framework and the project's enhanced seccomp security policies.
Here is the analysis and specific solutions based on the latest bug reports:
- Main cause: Glycin / Bubblewrap / Seccomp conflict
Since the GNOME 49 update, thumbnail rendering has been delegated to Glycin. For security reasons, Glycin launches its rendering processes inside a bwrap (Bubblewrap) sandbox.The bug: On “hardened” images, Glycin's seccomp filter can conflict with the restrictions of secureblue's hardened kernel. A SIGSYS signal kills the thumbnail creation process because some system calls required by bwrap are blocked.
Proof: The fact that XnView (Flatpak) works confirms that your system libraries are healthy, but that it is Nautilus' native integration with Glycin that is failing.
When I delete the cache folder for failed thumbnail creation and restart Nautilus, it still doesn't work.
/home/user/.cache/thumbnails/fail/gnome-thumbnail-factory
In this folder, I can see the failed thumbnail files, but when I open the image, it's a blank image.
To confirm whether this is a security crash (SIGSYS), I ran this command while opening a folder containing images in Nautilus:
run0
journalctl -f | grep -i glycin
Jan 23 20:09:04 Host-001 systemd[5404]: dbus-:[email protected]: Unit process 23019 (glycin-image-rs) remains running after unit stopped.
Jan 23 20:09:23 Host-001 nautilus[24007]: WARNING: Glycin running without sandbox.
Jan 23 20:09:25 Host-001 nautilus[24007]: WARNING: Glycin running without sandbox.
I'm not sure if this indicates a sandbox issue.
Google AI tells me:
The WARNING: Glycin running without sandbox error, coupled with the fact that the glycin-image-rs process remains stuck (zombie), confirms that the thumbnail rendering system is crippled by an incompatibility between secureblue's security policies and the new Glycin framework.
I killed all glycyn processes
then deleted the cache rm -rf ~/.cache/thumbnails/fail/gnome-thumbnail-factory/*
restart nautilus -q
does not work
Google AI tells me : (I didn't do this because I'm afraid of breaking my system)
Resolving the Bubblewrap (bwrap) conflict
On secureblue, the execution of bwrap (Glycin's sandbox) is often blocked by the kernel arguments kernel.unprivileged_userns_clone=0.
If Glycin tries to launch without a sandbox (as indicated in your log) when it is configured to require one, it stops for security reasons.
Workaround test:
Check if you can temporarily re-enable user namespaces (this does not require a reboot) to see if the thumbnails reappear:
run0 sysctl -w kernel.unprivileged_userns_clone=1
nautilus -q
# Delete the cache again and open an image folder
rm -rf ~/.cache/thumbnails/*
If this works, the problem is caused by kernel hardening, which blocks Glycin's security mechanism.
Nothing worked. It's a very annoying bug. Honestly, everything was working perfectly... I love this project that 's why I try to support
Reproduce
Update system to latest
Expected
Thumbnails must work
Actual
Not work
Image
rpm-ostree status State: idle warning: Failed to query journal: couldn't find current boot in journal AutomaticUpdates: stage; rpm-ostreed-automatic.timer: no runs since boot Deployments: ostree-image-signed:docker://ghcr.io/secureblue/silverblue-nvidia-open-hardened:latest Digest: sha256:0b7fce4b39adaac58560ccb9e00c9bcc9fd13e02956be1cfd99d70c71d8fe1b7 Version: 43.20260123.0 (2026-01-23T15:12:54Z) LayeredPackages: proton-vpn-gnome-desktop
Upstream
?
Declaration
- I agree to follow this project's Code of Conduct.
- I declare that this is not a request for alternate community messaging or social platforms.
- I declare that I have read the secureblue website and my feature request is in-scope.