{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-20884", "assignerOrgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b", "state": "PUBLISHED", "assignerShortName": "talos", "dateReserved": "2026-01-29T14:17:38.877Z", "datePublished": "2026-04-07T13:49:22.423Z", "dateUpdated": "2026-04-08T03:55:45.636Z"}, "containers": {"cna": {"affected": [{"vendor": "LibRaw", "product": "LibRaw", "versions": [{"version": "Commit 8dc68e2", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "An integer overflow vulnerability exists in the deflate_dng_load_raw functionality of LibRaw Commit 8dc68e2. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-190: Integer Overflow or Wraparound", "type": "CWE", "cweId": "CWE-190"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH"}}], "providerMetadata": {"orgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b", "shortName": "talos", "dateUpdated": "2026-04-07T13:49:22.423Z"}, "references": [{"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2026-2364", "name": "https://talosintelligence.com/vulnerability_reports/TALOS-2026-2364"}], "credits": [{"lang": "en", "value": "Discovered by Francesco Benvenuto of Cisco Talos."}]}, "adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2026-2364"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-07T16:23:20.112Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-20884"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T03:55:45.636Z"}}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:libraw:libraw:0.22.1:*:*:*:*:*:*:*", "matchCriteriaId": "BDC62434-024F-485D-A1B0-8608B70A2CF1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An integer overflow vulnerability exists in the deflate_dng_load_raw functionality of LibRaw Commit 8dc68e2. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability."}], "id": "CVE-2026-20884", "lastModified": "2026-04-10T20:50:52.523", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "talos-cna@cisco.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-07T15:17:35.127", "references": [{"source": "talos-cna@cisco.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2026-2364"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2026-2364"}], "sourceIdentifier": "talos-cna@cisco.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-190"}], "source": "talos-cna@cisco.com", "type": "Secondary"}]}

{"bugzilla": {"description": "LibRaw: LibRaw: Arbitrary code execution via integer overflow in deflate_dng_load_raw", "id": "2455934", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455934"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-190", "details": ["A flaw was found in LibRaw. An integer overflow vulnerability in the `deflate_dng_load_raw` functionality allows a remote attacker to provide a specially crafted malicious file. This can lead to a heap buffer overflow, potentially resulting in arbitrary code execution."], "mitigation": {"lang": "en:us", "value": "This vulnerability can be mitigated by limiting the amount of memory used to unpack untrusted RAW images. This needs to be set in the application using the LibRaw and can be achieved by setting the `max_raw_memory_mb` to a value smaller than 16GB.\nThis parameter can't be changed in runtime in the library, so developers needs to patch and rebuild their application to impose the new limit. It's important to notice the fact when reducing the memory limit for the decoding process may render the library unable to handle big images."}, "name": "CVE-2026-20884", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "LibRaw", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "LibRaw", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "LibRaw", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-07T13:49:22Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-20884\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-20884\nhttps://github.com/LibRaw/LibRaw/releases/tag/0.22.1\nhttps://talosintelligence.com/vulnerability_reports/TALOS-2026-2364"], "statement": "This flaw in the LibRaw library consists in an integer overflow in the `deflate_dng_load_raw()` function, a successfully performed attack may lead to a heap buffer overflow and potentially arbitrary code execution or denial of service. The vulnerability stems from the usage of a 32-bit arithmetic to calculate the memory limits and the buffer allocation size for the image's tile dimension values, which may end up overflowing when processing user controlled images as input. The calculation result is further used within 64-bit boundary checking however the proper cast is missing and the result value is used to allocate the buffer from memory, when the overflow happens the function may start writing outside of the expected memory boundary leading to data corruption.\nThis vulnerability is not exploitable when the application consuming LibRaw is using the default memory limit (`max_raw_memory_mb` parameter) to unpack the RAW image. To be considered vulnerable the application should be setting the limit to around or greater then 11GB.\nRed Hat Product Security has rated this vulnerability as having a Moderate impact, despite the possibility of arbitrary code execution due to the heap-based buffer overflow, as the user needs to be tricked to process a maliciously crafted image or LibRaw needs to be exposed to the network and accepting untrusted data as input. Additionally the default `max_raw_memory_mb` value set with LibRaw is not enough to trigger the vulnerability.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "Commit 8dc68e2"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "LibRaw", "source": "cna", "vendor": "LibRaw"}, "product": "libraw", "vendor": "libraw"}], "analysis": {"en": {"generated_at": "2026-04-07T20:11:35.090651+00:00", "value": {"mitigation_remediation": ["Check the LibRaw project for a newer release that removes the vulnerable commit", "If no update is available, apply any interim patch or code change released by the maintainers to address the integer overflow", "Redesign or configure applications to reject or sandbox the loading of untrusted DNG files until a secure update is applied"], "summary": {"action": "Apply Patch", "impact": "Heap Buffer Overflow"}, "threat_synthesis": {"affected_systems": "The vulnerability is present in LibRaw at commit 8dc68e2 and affects any application that uses this version to load DNG image files, such as photo editors, image conversion utilities, or other software that processes camera RAW images.", "description_and_impact": "A defect in the deflate_dng_load_raw routine of LibRaw allows an integer overflow when decoding a DNG file, which can overwrite heap memory. When a specially crafted file is processed, the overflow can corrupt memory and lead to unpredictable program behavior.", "risk_and_exploitability": "The CVSS score of 8.1 indicates high severity. Exploitation requires a malicious DNG file and is feasible in environments where untrusted images are processed. EPSS data is not available and the issue is not listed in CISA\u2019s KEV catalog, but the lack of a publicly available patch implies that unpatched installations are at risk of memory corruption from an attacker who can supply a malicious file."}}}}, "created": "2026-04-08T19:37:57.281435+00:00", "title": "Heap Buffer Overflow via Malicious DNG File in LibRaw", "updated": "2026-04-08T19:49:27.971690+00:00", "vendors": ["libraw", "libraw$PRODUCT$libraw"]}