{
  "threat_severity" : "Important",
  "public_date" : "2026-04-07T13:49:25Z",
  "bugzilla" : {
    "description" : "LibRaw: LibRaw: Memory Corruption via Malicious File Processing",
    "id" : "2455926",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2455926"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-120",
  "details" : [ "A heap-based buffer overflow vulnerability exists in the x3f_load_huffman functionality of LibRaw Commit d20315b. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.", "A flaw was found in LibRaw. A remote attacker could exploit a heap-based buffer overflow vulnerability in the x3f_load_huffman functionality by providing a specially crafted malicious file. This can lead to memory corruption, potentially allowing the attacker to execute arbitrary code or cause a denial of service." ],
  "statement" : "LibRaw is not installed by default on Red Hat systems. A user would need to manually install and make available an affected code path for this vulnerability to be exploitable.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-05-04T00:00:00Z",
    "advisory" : "RHSA-2026:13284",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "LibRaw-0:0.19.5-6.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support",
    "release_date" : "2026-05-11T00:00:00Z",
    "advisory" : "RHSA-2026:15926",
    "cpe" : "cpe:/a:redhat:rhel_aus:8.4",
    "package" : "LibRaw-0:0.19.5-2.el8_4.2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On",
    "release_date" : "2026-05-11T00:00:00Z",
    "advisory" : "RHSA-2026:15926",
    "cpe" : "cpe:/a:redhat:rhel_eus_long_life:8.4",
    "package" : "LibRaw-0:0.19.5-2.el8_4.2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support",
    "release_date" : "2026-05-11T00:00:00Z",
    "advisory" : "RHSA-2026:15925",
    "cpe" : "cpe:/a:redhat:rhel_aus:8.6",
    "package" : "LibRaw-0:0.19.5-3.el8_6.2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service",
    "release_date" : "2026-05-11T00:00:00Z",
    "advisory" : "RHSA-2026:15925",
    "cpe" : "cpe:/a:redhat:rhel_tus:8.6",
    "package" : "LibRaw-0:0.19.5-3.el8_6.2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions",
    "release_date" : "2026-05-11T00:00:00Z",
    "advisory" : "RHSA-2026:15925",
    "cpe" : "cpe:/a:redhat:rhel_e4s:8.6",
    "package" : "LibRaw-0:0.19.5-3.el8_6.2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Telecommunications Update Service",
    "release_date" : "2026-05-11T00:00:00Z",
    "advisory" : "RHSA-2026:15924",
    "cpe" : "cpe:/a:redhat:rhel_tus:8.8",
    "package" : "LibRaw-0:0.19.5-3.el8_8.2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions",
    "release_date" : "2026-05-11T00:00:00Z",
    "advisory" : "RHSA-2026:15924",
    "cpe" : "cpe:/a:redhat:rhel_e4s:8.8",
    "package" : "LibRaw-0:0.19.5-3.el8_8.2"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "libraw1394",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "LibRaw",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Will not fix",
    "package_name" : "libraw1394",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Will not fix",
    "package_name" : "libraw1394",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "LibRaw",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-24660\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-24660\nhttps://talosintelligence.com/vulnerability_reports/TALOS-2026-2359" ],
  "name" : "CVE-2026-24660",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}