2455934 – (CVE-2026-20884) CVE-2026-20884 LibRaw: LibRaw: Arbitrary code execution via integer overflow in deflate_dng_load_raw

Bug 2455934 (CVE-2026-20884) - CVE-2026-20884 LibRaw: LibRaw: Arbitrary code execution via integer overflow in deflate_dng_load_raw

Summary: CVE-2026-20884 LibRaw: LibRaw: Arbitrary code execution via integer overflow ...

Keywords:
Status:	NEW
Alias:	CVE-2026-20884
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2456555 2456556 2456558 2456560 2456561 2456557
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-07 15:03 UTC by OSIDB Bzimport
Modified:	2026-04-08 16:51 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-07 15:03:07 UTC

An integer overflow vulnerability exists in the deflate_dng_load_raw functionality of LibRaw Commit 8dc68e2. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.

Comment 2 Marco Benatto 2026-04-08 16:51:48 UTC

Upstream commit for this issue:

https://github.com/LibRaw/LibRaw/commit/aa4458eb511daeae90676c1ce5c587106e4aaec1

Note You need to log in before you can comment on or make changes to this bug.