CVE-2026-20889
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk46th percentile — higher than 46% of all known CVEs
Summary
A heap-based buffer overflow vulnerability exists in the x3f_thumb_loader function of LibRaw (commit d20315b). A specially crafted malicious file can lead to a heap buffer overflow.
Risk Assessment
An attacker can provide a malicious file that, when processed by an application using LibRaw, causes a heap buffer overflow, potentially allowing arbitrary code execution or system destabilization.
Recommendation
Immediately update LibRaw to a version containing the fix after commit d20315b. Until updated, avoid processing untrusted RAW files.
Original NVD description (English source)
A heap-based buffer overflow vulnerability exists in the x3f_thumb_loader functionality of LibRaw Commit d20315b. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.

