CVE-2026-20884 — Integer Overflow or Wraparound in Libraw
Severity
9.8CRITICALNVD
EPSS
0.1%
top 83.39%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedApr 7
Latest updateApr 16
Description
An integer overflow vulnerability exists in the deflate_dng_load_raw functionality of LibRaw Commit 8dc68e2. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9
Affected Packages3 packages
🔴Vulnerability Details
2📋Vendor Advisories
2🕵️Threat Intelligence
2💬Community
7Bugzilla▶
CVE-2026-20884 digikam: LibRaw: Arbitrary code execution via integer overflow in deflate_dng_load_raw [fedora-all]↗2026-04-08
Bugzilla▶
CVE-2026-20884 darktable: LibRaw: Arbitrary code execution via integer overflow in deflate_dng_load_raw [fedora-all]↗2026-04-08
Bugzilla▶
CVE-2026-20884 LibRaw: LibRaw: Arbitrary code execution via integer overflow in deflate_dng_load_raw [epel-all]↗2026-04-08
Bugzilla▶
CVE-2026-20884 mingw-LibRaw: LibRaw: Arbitrary code execution via integer overflow in deflate_dng_load_raw [fedora-all]↗2026-04-08
Bugzilla▶
CVE-2026-20884 digikam: LibRaw: Arbitrary code execution via integer overflow in deflate_dng_load_raw [epel-all]↗2026-04-08