Skip to main content

Libraw CVE-2026-20889

| EUVDEUVD-2026-19620 CRITICAL
Integer Overflow or Wraparound (CWE-190)
2026-04-07 talos GHSA-9m8r-gj3p-r7rw
9.8
CVSS 3.1 · Vendor: talos
Share

Severity by source

Vendor (talos) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
CRITICAL
qualitative
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (talos).

CVSS VectorVendor: talos

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch released
Apr 09, 2026 - 14:30 nvd
Patch available
EUVD ID Assigned
Apr 07, 2026 - 14:30 euvd
EUVD-2026-19620
Analysis Generated
Apr 07, 2026 - 14:30 vuln.today
CVE Published
Apr 07, 2026 - 13:49 nvd
CRITICAL 9.8

DescriptionCVE.org

A heap-based buffer overflow vulnerability exists in the x3f_thumb_loader functionality of LibRaw Commit d20315b. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.

AnalysisAI

Heap-based buffer overflow in LibRaw's x3f_thumb_loader function allows remote code execution via malformed image files. The vulnerability affects LibRaw commit d20315b, a widely-used raw image processing library integrated into applications like ImageMagick, GIMP, and numerous photo management tools. The CVSS 9.8 critical rating reflects network-exploitable conditions requiring no authentication or user interaction. With an EPSS score not yet available and no CISA KEV listing, active exploitation is not confirmed at time of analysis, though the attack complexity is low and requires only delivering a specially crafted file to vulnerable processing workflows.

Technical ContextAI

LibRaw is an open-source library for reading and processing raw digital camera image formats. The vulnerability resides in the x3f_thumb_loader function, which handles thumbnail extraction from Sigma X3F camera files. The root cause is an integer overflow (CWE-190) during buffer size calculations that leads to undersized heap allocation. When processing thumbnail data, the overflow causes the library to allocate insufficient memory, followed by out-of-bounds writes during data copying operations. The affected CPE cpe:2.3:a:libraw:libraw indicates the core library itself is vulnerable, meaning any application statically or dynamically linking LibRaw for raw image processing inherits this exposure. The x3f_thumb_loader typically executes during early file parsing stages, before user-visible rendering, making the vulnerability triggerable through automated image processing pipelines, thumbnail generators, or preview functions.

RemediationAI

Organizations should immediately audit their application stack for LibRaw dependencies and prioritize patching systems that process untrusted image files. Upstream fix availability not independently confirmed from available data at time of analysis; monitor the LibRaw GitHub repository and the Cisco Talos advisory at https://talosintelligence.com/vulnerability_reports/TALOS-2026-2358 for release announcements. As interim mitigation, implement strict input validation to reject malformed X3F files before LibRaw processing, deploy image processing in sandboxed or containerized environments with minimal privileges, and disable automatic thumbnail generation for X3F format if business requirements permit. For high-risk environments like public-facing image upload services, consider temporarily disabling X3F format support until patches are deployed. Ensure LibRaw-dependent applications like ImageMagick and GIMP are updated once their respective vendors release patched versions incorporating the LibRaw fix.

More in Libraw

View all
CVE-2018-20337 HIGH POC
8.8 Dec 21

There is a stack-based buffer overflow in the parse_makernote function of dcraw_common.cpp in LibRaw 0.19.1. Rated high

CVE-2013-2126 HIGH POC
7.5 Aug 14

Multiple double free vulnerabilities in the LibRaw::unpack function in libraw_cxx.cpp in LibRaw before 0.15.2 allow cont

CVE-2020-24889 HIGH POC
7.8 Sep 16

A buffer overflow vulnerability in LibRaw version < 20.0 LibRaw::GetNormalizedModel in src/metadata/normalize_model.cpp

CVE-2013-2127 HIGH POC
7.5 Aug 14

Buffer overflow in the exposure correction code in LibRaw before 0.15.1 allows context-dependent attackers to cause a de

CVE-2023-1729 MEDIUM POC
6.5 May 15

A flaw was found in LibRaw. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authenticat

CVE-2020-15365 MEDIUM POC
6.5 Jun 28

LibRaw before 0.20-Beta3 has an out-of-bounds write in parse_exif() in metadata\exif_gps.cpp via an unrecognized AtomNam

CVE-2018-20365 MEDIUM POC
6.5 Dec 22

LibRaw::raw2image() in libraw_cxx.cpp has a heap-based buffer overflow. Rated medium severity (CVSS 6.5), this vulnerabi

CVE-2018-20364 MEDIUM POC
6.5 Dec 22

LibRaw::copy_bayer in libraw_cxx.cpp in LibRaw 0.19.1 has a NULL pointer dereference. Rated medium severity (CVSS 6.5),

CVE-2018-20363 MEDIUM POC
6.5 Dec 22

LibRaw::raw2image in libraw_cxx.cpp in LibRaw 0.19.1 has a NULL pointer dereference. Rated medium severity (CVSS 6.5), t

CVE-2017-14265 CRITICAL
9.8 Sep 11

A Stack-based Buffer Overflow was discovered in xtrans_interpolate in internal/dcraw_common.cpp in LibRaw before 0.18.3.

CVE-2017-6886 CRITICAL
9.8 May 16

An error within the "parse_tiff_ifd()" function (internal/dcraw_common.cpp) in LibRaw versions before 0.18.2 can be expl

CVE-2026-20911 CRITICAL
9.8 Apr 07

Heap-based buffer overflow in LibRaw's HuffTable::initval function allows unauthenticated remote attackers to achieve ar

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Desktop Applications 15 SP7 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed

Share

CVE-2026-20889 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy