Skip to main content

Libraw EUVD-2026-19624

| CVE-2026-21413 CRITICAL
Improper Validation of Array Index (CWE-129)
2026-04-07 talos GHSA-g53g-r75r-95g5
Buffer Overflow Libraw
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
CRITICAL
qualitative
Red Hat
7.5 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch released
Apr 09, 2026 - 14:30 nvd
Patch available
EUVD ID Assigned
Apr 07, 2026 - 14:30 euvd
EUVD-2026-19624
Analysis Generated
Apr 07, 2026 - 14:30 vuln.today
CVE Published
Apr 07, 2026 - 13:49 nvd
CRITICAL 9.8

DescriptionCVE.org

A heap-based buffer overflow vulnerability exists in the lossless_jpeg_load_raw functionality of LibRaw Commit 0b56545 and Commit d20315b. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.

AnalysisAI

Heap-based buffer overflow in LibRaw's lossless JPEG processing (commits 0b56545 and d20315b) allows unauthenticated remote attackers to achieve arbitrary code execution by providing a malicious image file. The vulnerability scores CVSS 9.8 (Critical) with network attack vector, low complexity, and no authentication required. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious JPEG file with oversized data
Delivery
Send file to LibRaw application
Exploit
Trigger lossless_jpeg_load_raw parser
Execution
Overflow heap buffer
Impact
Execute arbitrary code with application privileges
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Remote unauthenticated attacker can exploit this by providing a specially crafted malicious JPEG file to any application using LibRaw Commit 0b56545 or Commit d20315b. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 9.8 score reflects maximum severity across confidentiality, integrity, and availability impacts with an easily exploitable network attack vector (AV:N, AC:L, PR:N, UI:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious RAW image file containing specially formatted JPEG lossless compression data with out-of-bounds array indices in the decompression parameters. The attacker uploads this file to a web application using LibRaw for thumbnail generation or image processing, or sends it via email to a user whose photo management software employs the vulnerable library. …
Remediation Organizations should immediately audit LibRaw deployments to determine if vulnerable commits 0b56545 or d20315b are present in production systems. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all systems running LibRaw (check dependencies in web apps, image processors, and document handlers); disable or restrict image upload functionality if feasible; implement input validation to reject suspicious JPEG files. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Desktop Applications 15 SP7 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed

Share

EUVD-2026-19624 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy