NIXPKGS-2026-1010

GitHub issue published on

Permalink CVE-2026-24450

8.1 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): HIGH
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

updated 1 day, 21 hours ago by @LeSuisse Activity log

Created automatic suggestion 2 days, 6 hours ago
@LeSuisse removed package libraw1394 1 day, 22 hours ago
@LeSuisse accepted 1 day, 22 hours ago
@LeSuisse published on GitHub 1 day, 21 hours ago

An integer overflow vulnerability exists in the uncompressed_fp_dng_load_raw functionality of …

An integer overflow vulnerability exists in the uncompressed_fp_dng_load_raw functionality of LibRaw Commit 8dc68e2. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.

References

Affected products

LibRaw

==Commit 8dc68e2

Matching in nixpkgs

pkgs.libraw

Library for reading RAW files obtained from digital photo cameras (CRW/CR2, NEF, RAF, DNG, and others)

nixos-unstable 0.21.5b
- nixpkgs-unstable 0.21.5b
- nixos-unstable-small 0.21.5b
nixos-25.11 0.21.4
- nixos-25.11-small 0.21.4
- nixpkgs-25.11-darwin 0.21.4

Ignored packages (1)

pkgs.libraw1394

Library providing direct access to the IEEE 1394 bus through the Linux 1394 subsystem's raw1394 user space interface

nixos-unstable 2.1.2
- nixpkgs-unstable 2.1.2
- nixos-unstable-small 2.1.2
nixos-25.11 2.1.2
- nixos-25.11-small 2.1.2
- nixpkgs-25.11-darwin 2.1.2

Patch: https://github.com/LibRaw/LibRaw/commit/a58727c1a3cfef4101700e546a6a661c6a299d97

Nixpkgs security tracker

Details of issue NIXPKGS-2026-1010

References

Affected products

Matching in nixpkgs

pkgs.libraw

pkgs.libraw1394