CVE-2025-43962

EUVD-2025-11961
In LibRaw before 0.21.4, phase_one_correct in decoders/load_mfbacks.cpp has out-of-bounds reads for tag 0x412 processing, related to large w0 or w1 values or the frac and mult calculations.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
2.9 LOW
LOCAL
HIGH
NONE
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 59%
Affected Products (NVD)
VendorProductVersion
librawlibraw
𝑥
< 0.21.4
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libraw
bookworm
0.20.2-2.1+deb12u1
fixed
bullseye
vulnerable
bullseye (security)
0.20.2-1+deb11u2
fixed
forky
0.22.1-1
fixed
sid
0.22.1-1
fixed
trixie
0.21.4-2
fixed
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
libraw-devel
suse enterprise desktop 15 SP6
0.21.1-150600.3.5.1
fixed
suse enterprise desktop 15 SP7
0.21.1-150600.3.5.1
fixed
suse enterprise sap 15 SP6
0.21.1-150600.3.5.1
fixed
suse enterprise sap 15 SP7
0.21.1-150600.3.5.1
fixed
suse enterprise server 15 SP6
0.21.1-150600.3.5.1
fixed
suse enterprise server 15 SP7
0.21.1-150600.3.5.1
fixed
suse enterprise workstation 15 SP6
0.21.1-150600.3.5.1
fixed
suse enterprise workstation 15 SP7
0.21.1-150600.3.5.1
fixed
libraw16
suse enterprise desktop 15 SP6
0.18.9-150000.3.30.1
fixed
suse enterprise desktop 15 SP7
0.18.9-150000.3.30.1
fixed
suse enterprise sap 15 SP6
0.18.9-150000.3.30.1
fixed
suse enterprise sap 15 SP7
0.18.9-150000.3.30.1
fixed
suse enterprise server 15 SP6
0.18.9-150000.3.30.1
fixed
suse enterprise server 15 SP7
0.18.9-150000.3.30.1
fixed
suse enterprise workstation 15 SP6
0.18.9-150000.3.30.1
fixed
suse enterprise workstation 15 SP7
0.18.9-150000.3.30.1
fixed
Common Weakness Enumeration
References
https://github.com/LibRaw/LibRaw/commit/66fe663e02a4dd610b4e832f5d9af326709336c2
https://github.com/LibRaw/LibRaw/compare/0.21.3...0.21.4
https://www.libraw.org/news/libraw-0-21-4-release
https://lists.debian.org/debian-lts-announce/2025/04/msg00038.html