NIXPKGS-2026-1002

GitHub issue published on

Permalink CVE-2026-20889

9.8 CRITICAL

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

updated 1 day, 23 hours ago by @LeSuisse Activity log

Created automatic suggestion 2 days, 8 hours ago
@LeSuisse removed package libraw1394 1 day, 23 hours ago
@LeSuisse accepted 1 day, 23 hours ago
@LeSuisse published on GitHub 1 day, 23 hours ago

A heap-based buffer overflow vulnerability exists in the x3f_thumb_loader functionality …

A heap-based buffer overflow vulnerability exists in the x3f_thumb_loader functionality of LibRaw Commit d20315b. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.

References

Affected products

LibRaw

==Commit d20315b

Matching in nixpkgs

pkgs.libraw

Library for reading RAW files obtained from digital photo cameras (CRW/CR2, NEF, RAF, DNG, and others)

nixos-unstable 0.21.5b
- nixpkgs-unstable 0.21.5b
- nixos-unstable-small 0.21.5b
nixos-25.11 0.21.4
- nixos-25.11-small 0.21.4
- nixpkgs-25.11-darwin 0.21.4

Ignored packages (1)

pkgs.libraw1394

Library providing direct access to the IEEE 1394 bus through the Linux 1394 subsystem's raw1394 user space interface

nixos-unstable 2.1.2
- nixpkgs-unstable 2.1.2
- nixos-unstable-small 2.1.2
nixos-25.11 2.1.2
- nixos-25.11-small 2.1.2
- nixpkgs-25.11-darwin 2.1.2

Upstream patch: https://github.com/LibRaw/LibRaw/commit/657b68d20456eaeb9639976f328827195ff41383

Nixpkgs security tracker

Details of issue NIXPKGS-2026-1002

References

Affected products

Matching in nixpkgs

pkgs.libraw

pkgs.libraw1394