Nixpkgs security tracker

Untriaged

Permalink CVE-2026-20889

9.8 CRITICAL

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

created 1 week ago

A heap-based buffer overflow vulnerability exists in the x3f_thumb_loader functionality …

A heap-based buffer overflow vulnerability exists in the x3f_thumb_loader functionality of LibRaw Commit d20315b. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.

References

Affected products

LibRaw

==Commit d20315b

Matching in nixpkgs

pkgs.libraw

Library for reading RAW files obtained from digital photo cameras (CRW/CR2, NEF, RAF, DNG, and others)

nixos-unstable 0.21.5b
- nixpkgs-unstable 0.21.5b
- nixos-unstable-small 0.21.5b
nixos-25.11 0.21.4
- nixos-25.11-small 0.21.4
- nixpkgs-25.11-darwin 0.21.4

pkgs.libraw1394

Library providing direct access to the IEEE 1394 bus through the Linux 1394 subsystem's raw1394 user space interface

nixos-unstable 2.1.2
- nixpkgs-unstable 2.1.2
- nixos-unstable-small 2.1.2
nixos-25.11 2.1.2
- nixos-25.11-small 2.1.2
- nixpkgs-25.11-darwin 2.1.2

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.libraw

pkgs.libraw1394