CVE-2026-21413 — Improper Validation of Array Index in Libraw
Severity
9.8CRITICALNVD
EPSS
0.1%
top 83.39%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedApr 7
Latest updateApr 16
Description
A heap-based buffer overflow vulnerability exists in the lossless_jpeg_load_raw functionality of LibRaw Commit 0b56545 and Commit d20315b. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9
Affected Packages3 packages
🔴Vulnerability Details
2OSV▶
CVE-2026-21413: A heap-based buffer overflow vulnerability exists in the lossless_jpeg_load_raw functionality of LibRaw Commit 0b56545 and Commit d20315b↗2026-04-07
GHSA▶
GHSA-g53g-r75r-95g5: A heap-based buffer overflow vulnerability exists in the lossless_jpeg_load_raw functionality of LibRaw Commit 0b56545 and Commit d20315b↗2026-04-07
📋Vendor Advisories
2🕵️Threat Intelligence
2💬Community
9Bugzilla▶
CVE-2026-21413 mingw-LibRaw: LibRaw: Arbitrary code execution via heap-based buffer overflow in lossless JPEG loading [fedora-all]↗2026-04-07
Bugzilla▶
CVE-2026-21413 digikam: LibRaw: Arbitrary code execution via heap-based buffer overflow in lossless JPEG loading [epel-all]↗2026-04-07
Bugzilla▶
CVE-2026-21413 libraw1394: LibRaw: Arbitrary code execution via heap-based buffer overflow in lossless JPEG loading [fedora-all]↗2026-04-07
Bugzilla▶
CVE-2026-21413 libraw1394: LibRaw: Arbitrary code execution via heap-based buffer overflow in lossless JPEG loading [epel-all]↗2026-04-07
Bugzilla▶
CVE-2026-21413 digikam: LibRaw: Arbitrary code execution via heap-based buffer overflow in lossless JPEG loading [fedora-all]↗2026-04-07