{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-20884", "assignerOrgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b", "state": "PUBLISHED", "assignerShortName": "talos", "dateReserved": "2026-01-29T14:17:38.877Z", "datePublished": "2026-04-07T13:49:22.423Z", "dateUpdated": "2026-04-13T13:04:17.769Z"}, "containers": {"cna": {"affected": [{"vendor": "LibRaw", "product": "LibRaw", "versions": [{"version": "Commit 8dc68e2", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "An integer overflow vulnerability exists in the deflate_dng_load_raw functionality of LibRaw Commit 8dc68e2. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-190: Integer Overflow or Wraparound", "type": "CWE", "cweId": "CWE-190"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH"}}], "providerMetadata": {"orgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b", "shortName": "talos", "dateUpdated": "2026-04-07T13:49:22.423Z"}, "references": [{"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2026-2364", "name": "https://talosintelligence.com/vulnerability_reports/TALOS-2026-2364"}], "credits": [{"lang": "en", "value": "Discovered by Francesco Benvenuto of Cisco Talos."}]}, "adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2026-2364"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-07T16:23:20.112Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-20884", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-08T03:55:46.456573Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T13:04:17.769Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2026-2364"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-07T16:23:20.112Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-20884", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-08T03:55:46.456573Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T13:00:39.189Z"}}], "cna": {"credits": [{"lang": "en", "value": "Discovered by Francesco Benvenuto of Cisco Talos."}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "LibRaw", "product": "LibRaw", "versions": [{"status": "affected", "version": "Commit 8dc68e2"}]}], "references": [{"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2026-2364", "name": "https://talosintelligence.com/vulnerability_reports/TALOS-2026-2364"}], "descriptions": [{"lang": "en", "value": "An integer overflow vulnerability exists in the deflate_dng_load_raw functionality of LibRaw Commit 8dc68e2. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-190", "description": "CWE-190: Integer Overflow or Wraparound"}]}], "providerMetadata": {"orgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b", "shortName": "talos", "dateUpdated": "2026-04-07T13:49:22.423Z"}}}, "cveMetadata": {"cveId": "CVE-2026-20884", "state": "PUBLISHED", "dateUpdated": "2026-04-13T13:04:17.769Z", "dateReserved": "2026-01-29T14:17:38.877Z", "assignerOrgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b", "datePublished": "2026-04-07T13:49:22.423Z", "assignerShortName": "talos"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:libraw:libraw:0.22.1:*:*:*:*:*:*:*", "matchCriteriaId": "BDC62434-024F-485D-A1B0-8608B70A2CF1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An integer overflow vulnerability exists in the deflate_dng_load_raw functionality of LibRaw Commit 8dc68e2. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability."}], "id": "CVE-2026-20884", "lastModified": "2026-04-10T20:50:52.523", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "talos-cna@cisco.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-07T15:17:35.127", "references": [{"source": "talos-cna@cisco.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2026-2364"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2026-2364"}], "sourceIdentifier": "talos-cna@cisco.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-190"}], "source": "talos-cna@cisco.com", "type": "Secondary"}]}

{"bugzilla": {"description": "LibRaw: LibRaw: Arbitrary code execution via integer overflow in deflate_dng_load_raw", "id": "2455934", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455934"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-190", "details": ["A flaw was found in LibRaw. An integer overflow vulnerability in the `deflate_dng_load_raw` functionality allows a remote attacker to provide a specially crafted malicious file. This can lead to a heap buffer overflow, potentially resulting in arbitrary code execution."], "mitigation": {"lang": "en:us", "value": "This vulnerability can be mitigated by limiting the amount of memory used to unpack untrusted RAW images. This needs to be set in the application using the LibRaw and can be achieved by setting the `max_raw_memory_mb` to a value smaller than 16GB.\nThis parameter can't be changed in runtime in the library, so developers needs to patch and rebuild their application to impose the new limit. It's important to notice the fact when reducing the memory limit for the decoding process may render the library unable to handle big images."}, "name": "CVE-2026-20884", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "LibRaw", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "LibRaw", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "LibRaw", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-07T13:49:22Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-20884\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-20884\nhttps://github.com/LibRaw/LibRaw/releases/tag/0.22.1\nhttps://talosintelligence.com/vulnerability_reports/TALOS-2026-2364"], "statement": "This flaw in the LibRaw library consists in an integer overflow in the `deflate_dng_load_raw()` function, a successfully performed attack may lead to a heap buffer overflow and potentially arbitrary code execution or denial of service. The vulnerability stems from the usage of a 32-bit arithmetic to calculate the memory limits and the buffer allocation size for the image's tile dimension values, which may end up overflowing when processing user controlled images as input. The calculation result is further used within 64-bit boundary checking however the proper cast is missing and the result value is used to allocate the buffer from memory, when the overflow happens the function may start writing outside of the expected memory boundary leading to data corruption.\nThis vulnerability is not exploitable when the application consuming LibRaw is using the default memory limit (`max_raw_memory_mb` parameter) to unpack the RAW image. To be considered vulnerable the application should be setting the limit to around or greater then 11GB.\nRed Hat Product Security has rated this vulnerability as having a Moderate impact, despite the possibility of arbitrary code execution due to the heap-based buffer overflow, as the user needs to be tricked to process a maliciously crafted image or LibRaw needs to be exposed to the network and accepting untrusted data as input. Additionally the default `max_raw_memory_mb` value set with LibRaw is not enough to trigger the vulnerability.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "Commit 8dc68e2"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "LibRaw", "source": "cna", "vendor": "LibRaw"}, "product": "libraw", "vendor": "libraw"}], "analysis": {"en": {"generated_at": "2026-04-10T23:37:08.502635+00:00", "value": {"mitigation_remediation": ["Upgrade LibRaw to the latest release (\u2265\u202f0.22.2 or newer) and rebuild any applications that link against the library.", "Verify that your build pulls the patched commit (after 8dc68e2) and update dependency references accordingly.", "If an upgrade cannot be applied immediately, restrict or quarantine the processing of untrusted DNG files and validate file integrity before they are handed to LibRaw."], "summary": {"action": "Apply patch", "impact": "Arbitrary code execution"}, "threat_synthesis": {"affected_systems": "LibRaw version\u202f0.22.1 is affected. Applications that link against this release, such as image editors or viewers that process DNG files, are at risk. The vulnerability is limited to this exact version; newer releases are unaffected.", "description_and_impact": "An integer overflow in the deflate_dng_load_raw function of LibRaw allows a malicious DNG file to corrupt a heap buffer, which can be leveraged for arbitrary code execution. The flaw is classified as CWE\u2011190, Integer Overflow or Wraparound, and leads to a heap buffer overflow that compromises confidentiality, integrity, and availability of the host process.", "risk_and_exploitability": "The CVSS score of 8.1 indicates a high severity vulnerability. EPSS is under 1\u202f%, so the likelihood of exploitation is currently low, and the flaw is not documented in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires feeding a specially crafted DNG file to a program that invokes LibRaw; depending on the target, this can happen via local file upload, remote file transfer, or automatic download, making the attack vector potentially remote if the application accepts untrusted files over a network."}}}}, "created": "2026-04-08T19:37:57.281435+00:00", "updated": "2026-04-13T14:27:15.231444+00:00", "vendors": ["libraw", "libraw$PRODUCT$libraw"]}