Heap-based Buffer Overflow Vulnerability in LibRaw by LibRaw Development Team
CVE-2026-20889

9.8CRITICAL

Key Information:

Vendor: Libraw
Status: Libraw
Vendor: CVE Published:; 7 April 2026

What is CVE-2026-20889?

A heap-based buffer overflow vulnerability exists within the x3f_thumb_loader functionality of LibRaw, introduced in Commit d20315b. This security flaw can be exploited by an attacker through a specially crafted malicious file. When this file is processed by the system, it may lead to a heap buffer overflow, potentially allowing an attacker to execute arbitrary code or disrupt application functionality. Proper precautions and updates should be taken to mitigate this risk.

Affected Version(s)

LibRaw Commit d20315b

References

https://talosintelligence.com/vulnerability_reports/TALOS...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Jan 26, 2026

Credit

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2026-20889 Data

JSON

Libraw

What is CVE-2026-20889?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit