NIXPKGS-2026-1008

GitHub issue published on

Permalink CVE-2026-21413

9.8 CRITICAL

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

updated 1 day, 21 hours ago by @LeSuisse Activity log

Created automatic suggestion 2 days, 6 hours ago
@LeSuisse removed package libraw1394 1 day, 22 hours ago
@LeSuisse accepted 1 day, 22 hours ago
@LeSuisse published on GitHub 1 day, 21 hours ago

A heap-based buffer overflow vulnerability exists in the lossless_jpeg_load_raw functionality …

A heap-based buffer overflow vulnerability exists in the lossless_jpeg_load_raw functionality of LibRaw Commit 0b56545 and Commit d20315b. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.

References

Affected products

LibRaw

==Commit 0b56545
==Commit d20315b

Matching in nixpkgs

pkgs.libraw

Library for reading RAW files obtained from digital photo cameras (CRW/CR2, NEF, RAF, DNG, and others)

nixos-unstable 0.21.5b
- nixpkgs-unstable 0.21.5b
- nixos-unstable-small 0.21.5b
nixos-25.11 0.21.4
- nixos-25.11-small 0.21.4
- nixpkgs-25.11-darwin 0.21.4

Ignored packages (1)

pkgs.libraw1394

Library providing direct access to the IEEE 1394 bus through the Linux 1394 subsystem's raw1394 user space interface

nixos-unstable 2.1.2
- nixpkgs-unstable 2.1.2
- nixos-unstable-small 2.1.2
nixos-25.11 2.1.2
- nixos-25.11-small 2.1.2
- nixpkgs-25.11-darwin 2.1.2

Patch: https://github.com/LibRaw/LibRaw/commit/32c7b783de262f21fa5e3f58a59031edf23ab3cb

Nixpkgs security tracker

Details of issue NIXPKGS-2026-1008

References

Affected products

Matching in nixpkgs

pkgs.libraw

pkgs.libraw1394