Bug#1133845: libraw: CVE-2026-24660 CVE-2026-24450 CVE-2026-21413 CVE-2026-20911 CVE-2026-20889 CVE-2026-20884
Salvatore Bonaccorso
carnil at debian.org
Tue Apr 14 21:40:53 BST 2026
Source: libraw
Version: 0.21.5b-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerabilities were published for libraw.
CVE-2026-24660[0]:
| A heap-based buffer overflow vulnerability exists in the
| x3f_load_huffman functionality of LibRaw Commit d20315b. A specially
| crafted malicious file can lead to a heap buffer overflow. An
| attacker can provide a malicious file to trigger this vulnerability.
CVE-2026-24450[1]:
| An integer overflow vulnerability exists in the
| uncompressed_fp_dng_load_raw functionality of LibRaw Commit 8dc68e2.
| A specially crafted malicious file can lead to a heap buffer
| overflow. An attacker can provide a malicious file to trigger this
| vulnerability.
CVE-2026-21413[2]:
| A heap-based buffer overflow vulnerability exists in the
| lossless_jpeg_load_raw functionality of LibRaw Commit 0b56545 and
| Commit d20315b. A specially crafted malicious file can lead to a
| heap buffer overflow. An attacker can provide a malicious file to
| trigger this vulnerability.
CVE-2026-20911[3]:
| A heap-based buffer overflow vulnerability exists in the
| HuffTable::initval functionality of LibRaw Commit 0b56545 and Commit
| d20315b. A specially crafted malicious file can lead to a heap
| buffer overflow. An attacker can provide a malicious file to trigger
| this vulnerability.
CVE-2026-20889[4]:
| A heap-based buffer overflow vulnerability exists in the
| x3f_thumb_loader functionality of LibRaw Commit d20315b. A specially
| crafted malicious file can lead to a heap buffer overflow. An
| attacker can provide a malicious file to trigger this vulnerability.
CVE-2026-20884[5]:
| An integer overflow vulnerability exists in the deflate_dng_load_raw
| functionality of LibRaw Commit 8dc68e2. A specially crafted
| malicious file can lead to a heap buffer overflow. An attacker can
| provide a malicious file to trigger this vulnerability.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-24660
https://www.cve.org/CVERecord?id=CVE-2026-24660
[1] https://security-tracker.debian.org/tracker/CVE-2026-24450
https://www.cve.org/CVERecord?id=CVE-2026-24450
[2] https://security-tracker.debian.org/tracker/CVE-2026-21413
https://www.cve.org/CVERecord?id=CVE-2026-21413
[3] https://security-tracker.debian.org/tracker/CVE-2026-20911
https://www.cve.org/CVERecord?id=CVE-2026-20911
[4] https://security-tracker.debian.org/tracker/CVE-2026-20889
https://www.cve.org/CVERecord?id=CVE-2026-20889
[5] https://security-tracker.debian.org/tracker/CVE-2026-20884
https://www.cve.org/CVERecord?id=CVE-2026-20884
Regards,
Salvatore
More information about the Pkg-phototools-devel
mailing list