Description
Integer Overflow or Wraparound vulnerability in RawTherapee (rtengine modules). This vulnerability is associated with program files dcraw.Cc.

This issue affects RawTherapee: through 5.11.
Published: 2026-01-27
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Potential memory corruption leading to remote code execution or denial of service
Action: Patch
AI Analysis

Impact

RawTherapee has an integer overflow or wraparound vulnerability in its rtengine modules, specifically involving files in dcraw.Cc. The flaw can result in a memory corruption that may allow an attacker to execute arbitrary code, overwrite data, or cause the application to crash. The impact threatens confidentiality, integrity, and availability of systems that use the affected software.

Affected Systems

RawTherapee, versions through 5.11 inclusive, are affected. No newer releases are listed as vulnerable.

Risk and Exploitability

The CVSS score is 8.3, indicating high severity. The EPSS score is below 1%, implying a low likelihood of exploitation at this time. The vulnerability is not yet catalogued in the CISA KEV list. Exploitation would require an attacker to supply a crafted RAW image file processed by the application, potentially through local user interaction or remote file transfer if the user opens files from shared locations. The attack vector is inferred from the nature of the flaw and typical usage of RAW files.

Generated by OpenCVE AI on April 18, 2026 at 02:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade RawTherapee to version 5.12 or later to obtain the vendor‑supplied fix.
  • If an immediate upgrade is not possible, restrict RawTherapee to process RAW files only from trusted directories or temporarily disable raw‑image handling until a patch is available.
  • When opening RAW images from untrusted or remote sources, scan the files or use sandboxing to ensure they are not malicious before processing them with the application.

Generated by OpenCVE AI on April 18, 2026 at 02:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 27 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 27 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Rawtherapee
Rawtherapee rawtherapee
Vendors & Products Rawtherapee
Rawtherapee rawtherapee

Tue, 27 Jan 2026 09:00:00 +0000

Type Values Removed Values Added
Description Integer Overflow or Wraparound vulnerability in RawTherapee (rtengine modules). This vulnerability is associated with program files dcraw.Cc. This issue affects RawTherapee: through 5.11.
Title A possible integer overflow vulnerability in RawTherapee/RawTherapee
Weaknesses CWE-190
References
Metrics cvssV4_0

{'score': 8.3, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H/S:P/AU:Y/R:U/V:C/RE:M/U:Amber'}

Subscriptions

Rawtherapee Rawtherapee
cve-icon MITRE

Status: PUBLISHED

Assigner: GovTech CSG

Published:

Updated: 2026-01-27T20:44:34.832Z

Reserved: 2026-01-27T08:39:10.281Z

Link: CVE-2026-24808

cve-icon Vulnrichment

Updated: 2026-01-27T20:44:31.145Z

cve-icon NVD

Status : Deferred

Published: 2026-01-27T09:15:51.023

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-24808

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T02:30:15Z

Weaknesses