In LibRaw, an out-of-bounds read vulnerability exists within the get_huffman_diff() function (libraw\src\x3f\x3f_utils_patched.cpp) when reading data from an image file.
What's the severity of this CVE? Moderate?
For what it's worth, this CVE neither affects the LibRaw package in Fedora (F >= 35 has 0.20.2) nor in RHEL 9 (has 0.20.2).
I didn't check packages that carry other copies of the same code (eg., dcraw).
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):