CVE-2025-43962

EUVD-2025-11961
In LibRaw before 0.21.4, phase_one_correct in decoders/load_mfbacks.cpp has out-of-bounds reads for tag 0x412 processing, related to large w0 or w1 values or the frac and mult calculations.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
2.9 LOW
LOCAL
HIGH
NONE
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
mitreCNA
2.9 LOW
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 53%
Affected Products (NVD)
VendorProductVersion
librawlibraw
𝑥
< 0.21.4
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libraw
bookworm
0.20.2-2.1+deb12u1
fixed
bullseye
vulnerable
bullseye (security)
0.20.2-1+deb11u2
fixed
forky
0.21.5b-1
fixed
sid
0.21.5b-1
fixed
trixie
0.21.4-2
fixed
Common Weakness Enumeration
References
https://github.com/LibRaw/LibRaw/commit/66fe663e02a4dd610b4e832f5d9af326709336c2
https://github.com/LibRaw/LibRaw/compare/0.21.3...0.21.4
https://www.libraw.org/news/libraw-0-21-4-release
https://lists.debian.org/debian-lts-announce/2025/04/msg00038.html