https://www.libraw.org/news/libraw-0-22-1-release announces:
LibRaw 0.22.1 Release is just published in our Github repository
<https://github.com/LibRaw/LibRaw> and this site download section
<https://www.libraw.org/download>.
This is bugfix-only release with these commits included:
* Limit strcat space in hassy model manipulation
* Version increment; shlib increment: internal ABI has changed
* check panasonic enc8 tile width against image width
* CR3 parser: zero all buffers before fread
* skip memory allocation checks for OWN_ALLOC decoders
* DNG SDK glue: check for memory limits
* raw2image()/dcraw_process() - check for int16 source data present
* Check for correct bayer pattern, pass incorect ones to vng_interpolate
* parse_rollei: zero input string before fgets
* Nikon padded/12bit: no need to calculate padded row size before final
raw_width adjustment
* TALOS-2026-2364: Fix for data size calculation integer overflow in
float/deflated DNG loader; Check for read results
* Fix for TALOS-2026-2363: avoid integer overflow in allocation size
calculation. Also: check for EOF in read loop
* X3F decoder: implemented hard single allocation limit via
LIBRAW_X3F_ALLOC_LIMIT_MB define;
* allocation size calculation converted to 64 bit arithm; fix for
TALOS-2026-2359
* Fix for TALOS-2026-2358
* Fix for TALOS-2026-2331
* Fix for TALOS-2026-2330
* Sony YCC decoder: check tile size; add +3 bytes to input buffer to avoid
possible overrun in huffman decoder
* FP DNG data limit: perform calculations in 64 bit
* Add extra huff_coeff item to handle huff_index==17 with known (zero) value,
not externally provided tag value
* use %lld format for timestamp parse/print where appropriate
* nikon coolscan loader: check for EOF
* Initialize olympus lensID bits
* CR3 parser: all file offsets are unsigned/64bit; check current offset
against file size
* Add Canon EOS Kiss M2 to camera list
* Check real color count against filters; do not pass really 4-color images
to fbdd or advanced demosaic
* Use LIBRAW_EXCEPTION instead of own internal in losslessjpeg.h
* zero input string to avoid compare random stack garbage with tag names
* Check for eof in Pentax tag search loop
* Fuji decoder: initialize allocated buffers
Further information about the vulnerabilities reported by Cisco Talos can be
found in their reports:
- TALOS-2026-2330 / CVE-2026-20911
LibRaw HuffTable::initval heap-based buffer overflow vulnerability
https://talosintelligence.com/vulnerability_reports/TALOS-2026-2330
A heap-based buffer overflow vulnerability exists in the HuffTable::initval
functionality of LibRaw Commit 0b56545 and Commit d20315b. A specially
crafted malicious file can lead to a heap buffer overflow. An attacker
can provide a malicious file to trigger this vulnerability.
- TALOS-2026-2331 / CVE-2026-21413
LibRaw lossless_jpeg_load_raw heap-based buffer overflow vulnerability
https://talosintelligence.com/vulnerability_reports/TALOS-2026-2331
A heap-based buffer overflow vulnerability exists in the
lossless_jpeg_load_raw functionality of LibRaw Commit 0b56545 and
Commit d20315b. A specially crafted malicious file can lead to a heap buffer
overflow. An attacker can provide a malicious file to trigger this
vulnerability.
- TALOS-2026-2358 / CVE-2026-20889
LibRaw x3f_thumb_loader heap-based buffer overflow vulnerability
https://talosintelligence.com/vulnerability_reports/TALOS-2026-2358
A heap-based buffer overflow vulnerability exists in the x3f_thumb_loader
functionality of LibRaw Commit d20315b. A specially crafted malicious file
can lead to a heap buffer overflow. An attacker can provide a malicious file
to trigger this vulnerability.
- TALOS-2026-2359 / CVE-2026-24660
LibRaw x3f_load_huffman heap-based buffer overflow vulnerability
https://talosintelligence.com/vulnerability_reports/TALOS-2026-2359
A heap-based buffer overflow vulnerability exists in the x3f_load_huffman
functionality of LibRaw Commit d20315b. A specially crafted malicious file
can lead to a heap buffer overflow. An attacker can provide a malicious file
to trigger this vulnerability.
- TALOS-2026-2363 / CVE-2026-24450
LibRaw uncompressed_fp_dng_load_raw integer overflow vulnerability
https://talosintelligence.com/vulnerability_reports/TALOS-2026-2363
An integer overflow vulnerability exists in the uncompressed_fp_dng_load_raw
functionality of LibRaw Commit 8dc68e2. A specially crafted malicious file
can lead to a heap buffer overflow. An attacker can provide a malicious file
to trigger this vulnerability.
- TALOS-2026-2364 / CVE-2026-20884
LibRaw deflate_dng_load_raw integer overflow vulnerability
https://talosintelligence.com/vulnerability_reports/TALOS-2026-2364
An integer overflow vulnerability exists in the deflate_dng_load_raw
functionality of LibRaw Commit 8dc68e2. A specially crafted malicious file
can lead to a heap buffer overflow. An attacker can provide a malicious file
to trigger this vulnerability.
Additional CVEs also appear to have been issued for some of the fixes:
- CVE-2026-5318 appears to be a duplicate for independent reporting of the
TALOS-2026-2330 / CVE-2026-20911 issue in
https://github.com/LibRaw/LibRaw/issues/794
- CVE-2026-5342 for the fix listed above as "Nikon padded/12bit: no need to
calculate padded row size before final raw_width adjustment" and originally
reported in https://github.com/LibRaw/LibRaw/issues/795
--
-Alan Coopersmith- [email protected]
Oracle Solaris Engineering - https://blogs.oracle.com/solaris
