{ "threat_severity" : "Moderate", "public_date" : "2026-04-07T13:49:22Z", "bugzilla" : { "description" : "LibRaw: LibRaw: Arbitrary code execution via integer overflow in deflate_dng_load_raw", "id" : "2455934", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2455934" }, "cvss3" : { "cvss3_base_score" : "7.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "status" : "draft" }, "cwe" : "CWE-190", "details" : [ "An integer overflow vulnerability exists in the deflate_dng_load_raw functionality of LibRaw Commit 8dc68e2. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.", "A flaw was found in LibRaw. An integer overflow vulnerability in the `deflate_dng_load_raw` functionality allows a remote attacker to provide a specially crafted malicious file. This can lead to a heap buffer overflow, potentially resulting in arbitrary code execution." ], "statement" : "This flaw in the LibRaw library consists in an integer overflow in the `deflate_dng_load_raw()` function, a successfully performed attack may lead to a heap buffer overflow and potentially arbitrary code execution or denial of service. The vulnerability stems from the usage of a 32-bit arithmetic to calculate the memory limits and the buffer allocation size for the image's tile dimension values, which may end up overflowing when processing user controlled images as input. The calculation result is further used within 64-bit boundary checking however the proper cast is missing and the result value is used to allocate the buffer from memory, when the overflow happens the function may start writing outside of the expected memory boundary leading to data corruption.\nThis vulnerability is not exploitable when the application consuming LibRaw is using the default memory limit (`max_raw_memory_mb` parameter) to unpack the RAW image. To be considered vulnerable the application should be setting the limit to around or greater then 11GB.\nRed Hat Product Security has rated this vulnerability as having a Moderate impact, despite the possibility of arbitrary code execution due to the heap-based buffer overflow, as the user needs to be tricked to process a maliciously crafted image or LibRaw needs to be exposed to the network and accepting untrusted data as input. Additionally the default `max_raw_memory_mb` value set with LibRaw is not enough to trigger the vulnerability.", "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Affected", "package_name" : "LibRaw", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Will not fix", "package_name" : "LibRaw", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "LibRaw", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-20884\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-20884\nhttps://github.com/LibRaw/LibRaw/releases/tag/0.22.1\nhttps://talosintelligence.com/vulnerability_reports/TALOS-2026-2364" ], "name" : "CVE-2026-20884", "mitigation" : { "value" : "This vulnerability can be mitigated by limiting the amount of memory used to unpack untrusted RAW images. This needs to be set in the application using the LibRaw and can be achieved by setting the `max_raw_memory_mb` to a value smaller than 16GB.\nThis parameter can't be changed in runtime in the library, so developers needs to patch and rebuild their application to impose the new limit. It's important to notice the fact when reducing the memory limit for the decoding process may render the library unable to handle big images.", "lang" : "en:us" }, "csaw" : false }