CVE-2026-5342
Out-of-Bounds Read in LibRaw TIFF/NEF Allows Remote Exploit
Publication date: 2026-04-02
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| libraw | libraw | to 0.22.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-5342 is a heap out-of-bounds read vulnerability in the LibRaw library, specifically in the function LibRaw::nikon_load_padded_packed_raw() located in src/decoders/decoders_libraw.cpp.
The vulnerability occurs because the function allocates a buffer based on the metadata field load_flags but then reads image data using loop bounds derived from another metadata field, raw_width, without validating that the buffer size is sufficient for this access.
This lack of validation means that if a crafted TIFF/NEF file contains inconsistent load_flags and raw_width metadata, the function can read beyond the allocated buffer, causing a heap-buffer-overflow.
The issue can be triggered remotely by processing specially crafted Nikon RAW files, and an exploit has been published.
The vulnerability is fixed by adding a validation check to ensure the buffer size is sufficient before reading, and by recalculating the padded row size accurately to prevent out-of-bounds access.
How can this vulnerability impact me? :
This vulnerability can lead to a heap out-of-bounds read when processing crafted Nikon RAW image files using the LibRaw library.
The impact includes potential application crashes or abnormal behavior due to reading memory beyond allocated buffers.
While the vulnerability does not directly affect confidentiality, integrity, or availability in a broad sense, it can cause denial of service by crashing the application.
Because the exploit can be triggered remotely by supplying malicious image files, any system or application using vulnerable versions of LibRaw to process such files is at risk.
Upgrading to LibRaw version 0.22.1 or later mitigates this issue.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the LibRaw library's handling of Nikon RAW files, specifically by using a crafted TIFF/NEF file that triggers the out-of-bounds read in the function LibRaw::nikon_load_padded_packed_raw().
A proof of concept (PoC) file named poc_nikonpadded_oob.tif has been used to detect this vulnerability.
Detection can be performed by running the LibRaw binary (such as simple_dcraw) compiled with AddressSanitizer and Undefined Behavior Sanitizer on the PoC file. The sanitizer will report a heap-buffer-overflow due to reading beyond the allocated buffer.
- Compile simple_dcraw with AddressSanitizer and Undefined Behavior Sanitizer enabled.
- Run the command: ./simple_dcraw poc_nikonpadded_oob.tif
- Observe sanitizer output for heap-buffer-overflow errors indicating the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the LibRaw library to version 0.22.1 or later, where this vulnerability has been fixed.
The fix involves adding validation checks to ensure the buffer size allocated matches the expected size based on image metadata, preventing out-of-bounds reads.
Specifically, the patch recalculates the padded row size accurately and validates it before allocation and reading, preventing exploitation.
- Upgrade LibRaw to version 0.22.1 or newer.
- If upgrading is not immediately possible, apply the patch identified by commit b8397cd45657b84e88bd1202528d1764265f185c to the affected source code.
- Avoid processing untrusted or suspicious TIFF/NEF files until the fix is applied.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.