Skip to main content

Art CVE-2026-4731

| EUVDEUVD-2026-14714 HIGH
Integer Overflow or Wraparound (CWE-190)
2026-03-24 GovTech CSG GHSA-5qh6-xmvm-2jfr
8.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.5 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:D/RE:L/U:Amber

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:D/RE:L/U:Amber
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
N

Lifecycle Timeline

4
EUVD ID Assigned
Mar 24, 2026 - 03:30 euvd
EUVD-2026-14714
Analysis Generated
Mar 24, 2026 - 03:30 vuln.today
Patch released
Mar 24, 2026 - 03:30 nvd
Patch available
CVE Published
Mar 24, 2026 - 02:44 nvd
HIGH 8.5

DescriptionCVE.org

Integer Overflow or Wraparound vulnerability in artraweditor ART (‎rtengine‎ modules). This vulnerability is associated with program files dcraw.C.

This issue affects ART: before 1.25.12.

AnalysisAI

Integer overflow in ART's rtengine dcraw.C module before version 1.25.12 allows local attackers with user interaction to achieve high-impact compromise of confidentiality, integrity, and availability. This vulnerability requires local access and user interaction to trigger, making it exploitable primarily through malicious image files or project files opened by victims.

Technical ContextAI

The vulnerability resides in the dcraw.C file, which is part of ART's rtengine modules responsible for raw image decoding and processing. The affected component (CPE: cpe:2.3:a:artraweditor:art:*:*:*:*:*:*:*:*) handles low-level digital camera raw file formats. The root cause is classified as CWE-190 (Integer Overflow or Wraparound), a well-known class of vulnerability where arithmetic operations on integers fail to detect overflow conditions, leading to unexpected program state. In image processing libraries like dcraw derivatives, integer overflows commonly occur during buffer size calculations, dimension computations, or pixel data aggregation operations, potentially leading to heap buffer overflows or out-of-bounds memory access.

RemediationAI

Upgrade ART (artraweditor) to version 1.25.12 or later, which incorporates the fix from vendor patch PR #427 (https://github.com/artraweditor/ART/pull/427). Users unable to upgrade immediately should restrict the application to processing only trusted, pre-validated raw image files and consider disabling automated batch processing of untrusted image sources. Since ART is a desktop/workstation application rather than a network service, network-level mitigations are not applicable; the primary control is timely patching.

Share

CVE-2026-4731 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy