CVE-2026-20889

EUVD-2026-19620
A heap-based buffer overflow vulnerability exists in the x3f_thumb_loader functionality of LibRaw Commit d20315b. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 23%
Affected Products (NVD)
VendorProductVersion
librawlibraw
0.22.0
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libraw
bionic
not-affected
focal
not-affected
jammy
needed
noble
needed
questing
needed
resolute
needed
xenial
not-affected
ufraw
bionic
needs-triage
jammy
dne
noble
dne
questing
dne
resolute
dne
xenial
ignored
darktable
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
noble
needs-triage
questing
needs-triage
resolute
needs-triage
xenial
ignored
exactimage
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
noble
needs-triage
questing
needs-triage
resolute
needs-triage
xenial
ignored
dcraw
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
noble
needs-triage
questing
needs-triage
resolute
needs-triage
xenial
ignored
rawtherapee
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
noble
needs-triage
questing
needs-triage
resolute
needs-triage
xenial
ignored
kodi
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
noble
needs-triage
questing
needs-triage
resolute
needs-triage
xenial
ignored
digikam
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
noble
needs-triage
questing
needs-triage
resolute
needs-triage
xenial
ignored
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
LibRaw
RHEL 8
0:0.19.5-6.el8_10
fixed
LibRaw-devel
RHEL 8
0:0.19.5-6.el8_10
fixed
Common Weakness Enumeration
References
https://talosintelligence.com/vulnerability_reports/TALOS-2026-2358
https://www.talosintelligence.com/vulnerability_reports/TALOS-2026-2358