Zero Day MonitorZDM

← Back to list

9.8

CVE-2026-20889

libraw · libraw

CVE-2026-20889: A heap-based buffer overflow vulnerability exists in the x3f_thumb_loader functionality of LibRaw Commit d20315b. A spec

Description

A heap-based buffer overflow vulnerability exists in the x3f_thumb_loader functionality of LibRaw Commit d20315b. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.

Affected Products

Vendor	Product	Versions
libraw	libraw	Commit d20315b

References

https://talosintelligence.com/vulnerability_reports/TALOS-2026-2358

Related News (1 articles)

Tier C

VulDB4d ago

CVE-2026-20889 | LibRaw d20315b File x3f_thumb_loader integer overflow (TALOS-2026-2358)

→ No new info (linked only)

CVSS 3.19.8 CRITICAL

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA KEV❌ No

Actively exploited❌ No

CWECWE-190

PublishedApr 7, 2026

Trending Score27

Source articles1

Independent1

Info Completeness0/14

Missing: cve_id, title, description, vendor, product, versions, cvss, epss, cwe, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-20911EXP

CVE-2026-20911: A heap-based buffer overflow vulnerability exists in the HuffTable::initval functionality of LibRaw Commit 0b56545 and C

CRITICALCVE-2026-21413

CVE-2026-21413: A heap-based buffer overflow vulnerability exists in the lossless_jpeg_load_raw functionality of LibRaw Commit 0b56545 a

HIGHCVE-2026-24660

CVE-2026-24660: A heap-based buffer overflow vulnerability exists in the x3f_load_huffman functionality of LibRaw Commit d20315b. A spec

HIGHCVE-2026-20884

CVE-2026-20884: An integer overflow vulnerability exists in the deflate_dng_load_raw functionality of LibRaw Commit 8dc68e2. A specially

HIGHCVE-2026-24450

CVE-2026-24450: An integer overflow vulnerability exists in the uncompressed_fp_dng_load_raw functionality of LibRaw Commit 8dc68e2. A s

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 7, 2026

Discovered by ZDM

Apr 7, 2026