{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-20911", "assignerOrgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b", "state": "PUBLISHED", "assignerShortName": "talos", "dateReserved": "2026-01-21T16:22:17.256Z", "datePublished": "2026-04-07T13:49:31.223Z", "dateUpdated": "2026-04-08T03:55:51.222Z"}, "containers": {"cna": {"affected": [{"vendor": "LibRaw", "product": "LibRaw", "versions": [{"version": "Commit 0b56545", "status": "affected"}, {"version": "Commit d20315b", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A heap-based buffer overflow vulnerability exists in the HuffTable::initval functionality of LibRaw Commit 0b56545 and Commit d20315b. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-131: Incorrect Calculation of Buffer Size", "type": "CWE", "cweId": "CWE-131"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "providerMetadata": {"orgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b", "shortName": "talos", "dateUpdated": "2026-04-07T13:49:31.223Z"}, "references": [{"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2026-2330", "name": "https://talosintelligence.com/vulnerability_reports/TALOS-2026-2330"}], "credits": [{"lang": "en", "value": "Discovered by Francesco Benvenuto of Cisco Talos."}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-20911"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T03:55:51.222Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2026-2330"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-07T16:23:22.203Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2026-2330"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-07T16:23:22.203Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-20911", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-07T14:35:15.879713Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T14:35:46.839Z"}}], "cna": {"credits": [{"lang": "en", "value": "Discovered by Francesco Benvenuto of Cisco Talos."}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "LibRaw", "product": "LibRaw", "versions": [{"status": "affected", "version": "Commit 0b56545"}, {"status": "affected", "version": "Commit d20315b"}]}], "references": [{"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2026-2330", "name": "https://talosintelligence.com/vulnerability_reports/TALOS-2026-2330"}], "descriptions": [{"lang": "en", "value": "A heap-based buffer overflow vulnerability exists in the HuffTable::initval functionality of LibRaw Commit 0b56545 and Commit d20315b. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-131", "description": "CWE-131: Incorrect Calculation of Buffer Size"}]}], "providerMetadata": {"orgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b", "shortName": "talos", "dateUpdated": "2026-04-07T13:49:31.223Z"}}}, "cveMetadata": {"cveId": "CVE-2026-20911", "state": "PUBLISHED", "dateUpdated": "2026-04-08T03:55:51.222Z", "dateReserved": "2026-01-21T16:22:17.256Z", "assignerOrgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b", "datePublished": "2026-04-07T13:49:31.223Z", "assignerShortName": "talos"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:libraw:libraw:0.22.0:*:*:*:*:*:*:*", "matchCriteriaId": "9ACBEE8D-088E-4185-BD49-B862B996D3C6", "vulnerable": true}, {"criteria": "cpe:2.3:a:libraw:libraw:0.22.1:*:*:*:*:*:*:*", "matchCriteriaId": "BDC62434-024F-485D-A1B0-8608B70A2CF1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A heap-based buffer overflow vulnerability exists in the HuffTable::initval functionality of LibRaw Commit 0b56545 and Commit d20315b. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability."}], "id": "CVE-2026-20911", "lastModified": "2026-04-10T20:50:34.563", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "talos-cna@cisco.com", "type": "Secondary"}]}, "published": "2026-04-07T15:17:35.467", "references": [{"source": "talos-cna@cisco.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2026-2330"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2026-2330"}], "sourceIdentifier": "talos-cna@cisco.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-131"}], "source": "talos-cna@cisco.com", "type": "Secondary"}]}

{"bugzilla": {"description": "LibRaw: LibRaw: Arbitrary Code Execution via specially crafted file", "id": "2455959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455959"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-120", "details": ["A flaw was found in LibRaw. A remote attacker can exploit a heap-based buffer overflow vulnerability in the HuffTable::initval functionality by providing a specially crafted malicious file. This can lead to arbitrary code execution or a denial of service (DoS) on the affected system."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-20911", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "libraw1394", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "LibRaw", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "libraw1394", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "LibRaw", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "libraw1394", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "LibRaw", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-07T13:49:31Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-20911\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-20911\nhttps://talosintelligence.com/vulnerability_reports/TALOS-2026-2330"], "statement": "LibRaw is not installed by default on Red Hat systems. A user would need to manually install and make available an affected code path for this vulnerability to be exploitable.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "0b56545"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "d20315b"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "LibRaw", "source": "cna", "vendor": "LibRaw"}, "product": "libraw", "vendor": "libraw"}], "analysis": {"en": {"generated_at": "2026-04-10T22:44:49.974396+00:00", "value": {"mitigation_remediation": ["Upgrade LibRaw to a version later than 0.22.1, such as 0.22.2 or newer, which contains the necessary fix.", "If upgrading immediately is not possible, restrict or quarantine the use of LibRaw in handling untrusted image files until a patch is applied.", "Monitor logs and security alerts for signs of exploitation attempts or anomalous behaviors in applications that import images via LibRaw."], "summary": {"action": "Patch Immediately", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The flaw affects the LibRaw image processing library, specifically versions 0.22.0 and 0.22.1. Any system or application using these versions is potentially vulnerable until patched or upgraded.", "description_and_impact": "A heap\u2011based buffer overflow exists within LibRaw\u2019s HuffTable::initval routine, allowing a specially crafted image file to corrupt memory and potentially execute arbitrary code. The vulnerability is tied to two specific commits and can be triggered by providing a malicious file to LibRaw. Successful exploitation would compromise the integrity and confidentiality of any application or system that imports the file, and could lead to full system takeover if the process runs with elevated privileges.", "risk_and_exploitability": "The CVSS base score of 9.8 marks this as a critical vulnerability, yet the EPSS score of less than 1% indicates low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to supply a crafted file to a LibRaw instance; therefore, the likely attack vector is a local or unauthenticated file\u2011processing scenario where untrusted images are processed. If an application processes images from untrusted sources, the risk is amplified, as the attacker can gain code execution within that application\u2019s context."}}}}, "created": "2026-04-08T19:37:51.057186+00:00", "updated": "2026-04-13T14:26:46.940100+00:00", "vendors": ["libraw", "libraw$PRODUCT$libraw"]}