DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-21413: CVE-2026-21413: Heap-Based Buffer Overflow in LibRaw Lossless JPEG Decoder

#security #cve #cybersecurity

CVE-2026-21413: Heap-Based Buffer Overflow in LibRaw Lossless JPEG Decoder

Vulnerability ID: CVE-2026-21413
CVSS Score: 9.8
Published: 2026-04-07

CVE-2026-21413 is a critical heap-based buffer overflow in the LibRaw library, specifically within the lossless_jpeg_load_raw function. Triggered by maliciously crafted RAW files, the vulnerability allows for out-of-bounds memory writes due to improper validation of the col index in CR2Slice metadata, resulting in an unauthenticated remote code execution vector.

TL;DR

A critical heap buffer overflow in LibRaw's CR2 metadata parser allows attackers to execute arbitrary code remotely via maliciously crafted RAW image files.

Technical Details

  • CWE ID: CWE-129
  • Attack Vector: Network
  • CVSS Score: 9.8
  • EPSS Score: 0.00043
  • Exploit Status: Unexploited / Theoretical
  • CISA KEV: Not Listed

Affected Systems

  • LibRaw versions prior to 0.22.1
  • ImageMagick (when compiled with vulnerable LibRaw)
  • GIMP (when utilizing vulnerable LibRaw plugins)
  • Various Linux distributions bundling LibRaw < 0.22.1
  • LibRaw: < 0.22.1 (Fixed in: 0.22.1)

Code Analysis

Commit: 75ed2c1

Fix for TALOS-2026-2331

Mitigation Strategies

  • Upgrade LibRaw to a patched version (0.22.1+).
  • Restrict processing of RAW images (especially CR2 files) from untrusted sources.
  • Enforce strict resource limits and sandbox isolation for background image processing tasks.
  • Implement strong input validation and header analysis prior to invoking LibRaw.

Remediation Steps:

  1. Identify all systems and applications utilizing LibRaw, including downstream dependencies like ImageMagick.
  2. Download and install LibRaw version 0.22.1 from the official repositories.
  3. Recompile any statically linked binaries that bundle a vulnerable version of the LibRaw library.
  4. Restart affected services and web application daemons to apply the new library objects.
  5. Verify the patch deployment by scanning application file hashes and shared library versions.

References

Read the full report for CVE-2026-21413 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)