Description
A heap-based buffer overflow vulnerability exists in the x3f_load_huffman functionality of LibRaw Commit d20315b. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.
Published: 2026-04-07
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Heap Buffer Overflow potentially enabling arbitrary code execution
Action: Immediate Patch
AI Analysis

Impact

A heap-based buffer overflow exists in LibRaw’s x3f_load_huffman routine. A specially crafted file can corrupt memory, and the overflow may be leveraged to execute arbitrary code, compromising the confidentiality and integrity of the application and possibly leading to crashes or denial of service.

Affected Systems

The vulnerability affects the LibRaw library from the vendor LibRaw:LibRaw. The affected release is 0.22.0 as identified by the CPE entry. No other product or version information is provided in the CVE record.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity condition. The EPSS score of less than 1% suggests a low likelihood of exploitation in the wild, and the vulnerability is not currently listed in the CISA KEV catalog. The attack vector requires an attacker to supply a malicious file to a program that uses LibRaw, which is likely a local or effectively local exploitation scenario if the file can be controlled by the user.

Generated by OpenCVE AI on April 10, 2026 at 22:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s patch or upgrade LibRaw to a version that fixes CVE-2026-24660.
  • If an update is not feasible, restrict the types and sizes of files processed by LibRaw, or validate input before it reaches the library.
  • Consider running interfacing applications in a sandboxed environment to limit the impact of a potential memory corruption.
  • Monitor logs for abnormal crashes or memory corruption patterns associated with image processing tasks.

Generated by OpenCVE AI on April 10, 2026 at 22:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:libraw:libraw:0.22.0:*:*:*:*:*:*:*

Wed, 08 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Libraw
Libraw libraw
Vendors & Products Libraw
Libraw libraw

Wed, 08 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Title LibRaw: LibRaw: Memory Corruption via Malicious File Processing
Weaknesses CWE-120
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
References

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Description A heap-based buffer overflow vulnerability exists in the x3f_load_huffman functionality of LibRaw Commit d20315b. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.
Weaknesses CWE-190
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Libraw Libraw
cve-icon MITRE

Status: PUBLISHED

Assigner: talos

Published:

Updated: 2026-04-08T20:58:58.522Z

Reserved: 2026-01-27T16:49:40.398Z

Link: CVE-2026-24660

cve-icon Vulnrichment

Updated: 2026-04-07T16:23:25.774Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T15:17:37.213

Modified: 2026-04-10T20:51:24.310

Link: CVE-2026-24660

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-07T13:49:25Z

Links: CVE-2026-24660 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T14:27:13Z

Weaknesses