CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2026-21413

CVE-2026-21413: Heap-Based Buffer Overflow in LibRaw Lossless JPEG Decoder

Alon Barad
Alon Barad
Software Engineer

Apr 9, 2026·4 min read·33 visits

Executive Summary (TL;DR)

A critical heap buffer overflow in LibRaw's CR2 metadata parser allows attackers to execute arbitrary code remotely via maliciously crafted RAW image files.

CVE-2026-21413 is a critical heap-based buffer overflow in the LibRaw library, specifically within the `lossless_jpeg_load_raw` function. Triggered by maliciously crafted RAW files, the vulnerability allows for out-of-bounds memory writes due to improper validation of the `col` index in CR2Slice metadata, resulting in an unauthenticated remote code execution vector.

Vulnerability Overview

LibRaw is an open-source library widely deployed for reading and decoding RAW image files from digital cameras. It serves as a foundational component in numerous downstream image processing applications, including ImageMagick, GIMP, and various operating system media frameworks.

The vulnerability, designated CVE-2026-21413, is a critical heap-based buffer overflow located in the library's lossless_jpeg_load_raw() function. This function handles the decoding of lossless JPEG data embedded within specific RAW formats, predominantly Canon's CR2 format.

The flaw is classified under CWE-129 (Improper Validation of Array Index). It allows an attacker to manipulate the memory space of applications parsing untrusted image files, yielding an unauthenticated remote code execution vector.

Root Cause Analysis

The root cause of CVE-2026-21413 is the absence of adequate boundary checks during the processing of CR2Slice metadata. When LibRaw decodes a CR2 image, it extracts dimension and offset parameters from this metadata to reconstruct the image matrix.

Within the lossless_jpeg_load_raw() execution path, the library utilizes a col (column) index variable derived directly from the parsed CR2Slice data. The code fails to validate whether this col value exceeds the maximum bounds of the dynamically allocated heap buffer reserved for the raw image pixels.

Because the index is trusted implicitly, subsequent memory write operations use the attacker-controlled col value to calculate memory offsets. This enables arbitrary out-of-bounds write primitives on the heap, corrupting adjacent memory structures.

Code Analysis

The vulnerable implementation processes the JPEG slices without verifying the upper limits of the structural parameters. A crafted RAW file can declare abnormally large slice dimensions, directly manipulating the parsing loops.

The fix, introduced in commit 75ed2c12a35b765b3b6ad695cc1f044f19efe644, implements strict bounds checking on the column indices before permitting any memory writes. By evaluating the parsed metadata against the known safe buffer dimensions, the patched code ensures that out-of-bounds indexing is safely aborted.

Any attempt to provide structural dimensions exceeding the allocated pixel array capacity will now trigger an early exit or error state. This structural validation neutralizes the specific metadata manipulation path leveraged by this vulnerability.

Exploitation

Exploitation relies on the target application invoking LibRaw to process an attacker-supplied RAW file. Since no authentication is required, any interface that accepts image uploads or processes images automatically is a viable attack vector.

An attacker constructs a specialized CR2 file where the CR2Slice metadata is strategically altered. By setting the col index to target specific offsets, the attacker forces the application to overwrite adjacent heap metadata or function pointers.

Achieving reliable remote code execution requires precise heap layout manipulation. The attacker must align the target objects in memory so that the out-of-bounds write modifies a critical data structure, redirecting the execution flow to an attacker-controlled payload.

Impact Assessment

The vulnerability carries a maximum CVSS v3.1 score of 9.8, indicating critical severity. A successful exploit results in the complete compromise of the process executing the LibRaw parsing routine.

In a typical web application scenario where user-uploaded images are processed for thumbnail generation or metadata extraction, exploitation yields unauthenticated remote code execution. The attacker inherits the privileges of the processing daemon, often leading to full system compromise or lateral movement within the network.

Alternatively, if reliable code execution fails, the memory corruption predictably leads to application crashes. This introduces a robust denial-of-service vector against automated image processing pipelines.

Remediation

The definitive remediation for CVE-2026-21413 is upgrading the LibRaw library to version 0.22.1 or later. This release incorporates the upstream fix commit 75ed2c12a35b765b3b6ad695cc1f044f19efe644.

System administrators must also identify and update statically linked binaries that package older versions of LibRaw. Downstream software such as ImageMagick and GIMP should be audited and rebuilt against the updated library to ensure comprehensive protection.

If an immediate upgrade is unfeasible, administrators should restrict the uploading and processing of RAW image files, specifically .cr2 files, from untrusted sources. Executing LibRaw-based tasks within isolated sandboxes or containerized environments will limit the blast radius of a successful exploit.

Official Patches

LibRawOfficial patch fixing the out-of-bounds write

Fix Analysis (1)

Technical Appendix

CVSS Score
9.8/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Probability
0.04%
Top 87% most exploited

Affected Systems

LibRaw versions prior to 0.22.1ImageMagick (when compiled with vulnerable LibRaw)GIMP (when utilizing vulnerable LibRaw plugins)Various Linux distributions bundling LibRaw < 0.22.1

Affected Versions Detail

Product
Affected Versions
Fixed Version
LibRaw
LibRaw
< 0.22.10.22.1
AttributeDetail
CWE IDCWE-129
Attack VectorNetwork
CVSS Score9.8
EPSS Score0.00043
Exploit StatusUnexploited / Theoretical
CISA KEVNot Listed

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application
Initial Access
T1068Exploitation for Privilege Escalation
Privilege Escalation
CWE-129
Improper Validation of Array Index

The product uses untrusted input as an array index, but it does not validate or incorrectly validates the index to ensure it references a valid position within the array.

Vulnerability Timeline

Initial discovery and report by Francesco Benvenuto of Cisco Talos
2026-02-12
LibRaw version 0.22.1 released with patch
2026-04-06
Official public disclosure by Cisco Talos
2026-04-07
NVD and CVE.org records finalized
2026-04-08

References & Sources

  • [1]Cisco Talos Advisory
  • [2]CVE Record
  • [3]LibRaw GitHub Repository
  • [4]LibRaw Download Page
  • [5]GitHub Security Advisory

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•about 12 hours ago•CVE-2026-53359
8.8

CVE-2026-53359: Use-After-Free in Linux Kernel KVM Shadow MMU (Januscape)

Januscape (CVE-2026-53359) is a critical Use-After-Free vulnerability in the x86 Shadow MMU component of the Linux Kernel's KVM subsystem. A logic error in shadow page tracking permits unauthorized page reuse without validating architectural execution roles, leading to dangling pointers in reverse mapping (rmap) tracking entries during guest memory teardown.

Amit Schendel
Amit Schendel
55 views•5 min read
•about 12 hours ago•CVE-2026-48282
10.0

CVE-2026-48282: Unauthenticated Path Traversal and Arbitrary File Write in Adobe ColdFusion Remote Development Services

CVE-2026-48282 is a critical unauthenticated path traversal and arbitrary file write vulnerability in the Remote Development Services (RDS) component of Adobe ColdFusion. The vulnerability allows a remote, unauthenticated attacker to bypass directory boundaries and write arbitrary files, including CFML-based web shells, onto the host server. This flaw is actively exploited in the wild and enables full unauthenticated remote code execution under the privileges of the ColdFusion service account.

Alon Barad
Alon Barad
22 views•6 min read
•about 17 hours ago•GHSA-GQ4G-FPC9-VJFQ
2.3

GHSA-gq4g-fpc9-vjfq: Username Enumeration via Predictable Decoy Credentials in web-auth/webauthn-lib

An information disclosure vulnerability exists in the web-auth/webauthn-lib PHP library when using the default SimpleFakeCredentialGenerator without a configured secret. This allows unauthenticated remote attackers to determine if a username exists on the target application.

Alon Barad
Alon Barad
8 views•5 min read
•about 18 hours ago•GHSA-CWV4-H3J5-W3CF
3.7

GHSA-CWV4-H3J5-W3CF: Stored and Reflected Cross-Site Scripting in rama's Directory Listing Component

A Stored and Reflected Cross-Site Scripting (XSS) vulnerability was identified in the Rust web service library 'rama' prior to version 0.3.0-rc.1. When serving directories using DirectoryServeMode::HtmlFileList, the library improperly escapes directory names, filenames, and request path components before injecting them into dynamically generated HTML files. This allows attackers to execute malicious scripts inside user browser sessions.

Alon Barad
Alon Barad
7 views•7 min read
•about 18 hours ago•GHSA-Q855-8RH5-JFGQ
6.5

GHSA-Q855-8RH5-JFGQ: Missing Authentication and CSRF in ha-mcp bare root settings and policy routes

The ha-mcp add-on for Home Assistant exposes its settings and security policy routes without authentication at the bare root path of TCP port 9583. This exposure allows unauthorized adjacent network clients to reconfigure tools, alter policies, and bypass human-in-the-loop approval gates. The vulnerability has been addressed in development build 7.6.0.dev393 and subsequent releases by restricting access to root-mounted routes exclusively to the Supervisor Ingress IP.

Amit Schendel
Amit Schendel
6 views•8 min read
•about 19 hours ago•GHSA-F66Q-9RF6-8795
5.3

GHSA-f66q-9rf6-8795: WebAuthn Re-authentication Freshness Bypass in Flask-Security-Too

An authentication freshness bypass vulnerability exists in the WebAuthn re-authentication path of Flask-Security-Too versions 5.8.0 and 5.8.1. The flaw allows an authenticated attacker to elevate the freshness status of a victim session using their own WebAuthn credential, bypassing re-authentication constraints.

Amit Schendel
Amit Schendel
8 views•5 min read