CVE-2026-20889 — Integer Overflow or Wraparound in Libraw
Severity
9.8CRITICALNVD
EPSS
0.1%
top 83.39%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedApr 7
Latest updateApr 16
Description
A heap-based buffer overflow vulnerability exists in the x3f_thumb_loader functionality of LibRaw Commit d20315b. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9
Affected Packages3 packages
🔴Vulnerability Details
2📋Vendor Advisories
2🕵️Threat Intelligence
2💬Community
9Bugzilla▶
CVE-2026-20889 libraw1394: LibRaw: Arbitrary code execution via specially crafted image file [epel-all]↗2026-04-07
Bugzilla▶
CVE-2026-20889 mingw-LibRaw: LibRaw: Arbitrary code execution via specially crafted image file [fedora-all]↗2026-04-07
Bugzilla▶
CVE-2026-20889 LibRaw: LibRaw: Arbitrary code execution via specially crafted image file [fedora-all]↗2026-04-07
Bugzilla▶
CVE-2026-20889 digikam: LibRaw: Arbitrary code execution via specially crafted image file [epel-all]↗2026-04-07
Bugzilla▶
CVE-2026-20889 libraw1394: LibRaw: Arbitrary code execution via specially crafted image file [fedora-all]↗2026-04-07