This advisory addresses two critical vulnerabilities in LibRaw: CVE-2026-24450 (CVSS 8.1 High) and CVE-2026-21413 (CVSS 9.8 Critical), which allow arbitrary code execution via specially crafted malicious RAW image files and a heap-based buffer overflow in lossless JPEG loading. According to NVD data, affected versions include LibRaw 0.22.0 and 0.22.1. Red Hat has released patched packages for Red Hat Enterprise Linux 9; users should apply the update immediately.
Red Hat Product Errata RHSA-2026:11360 - Security Advisory Issued: 2026-04-28 Updated: 2026-04-28 RHSA-2026:11360 - Security Advisory Overview Updated Packages Synopsis Important: LibRaw security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for LibRaw is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description LibRaw is a library for reading RAW files obtained from digital photo cameras (CRW/CR2, NEF, RAF, DNG, and others). Security Fix(es): LibRaw: LibRaw: Arbitrary code execution via a specially crafted malicious file (CVE-2026-24450) LibRaw: LibRaw: Arbitrary code execution via heap-based buffer overflow in lossless JPEG loading (CVE-2026-21413) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 9 x86_64 Red Hat Enterprise Linux for IBM z Systems 9 s390x Red Hat Enterprise Linux for Power, little endian 9 ppc64le Red Hat Enterprise Linux for ARM 64 9 aarch64 Red Hat CodeReady Linux Builder for x86_64 9 x86_64 Red Hat CodeReady Linux Builder for Power, little endian 9 ppc64le Fixes BZ - 2455925 - CVE-2026-24450 LibRaw: LibRaw: Arbitrary code execution via a specially crafted malicious file BZ - 2455929 - CVE-2026-21413 LibRaw: LibRaw: Arbitrary code execution via heap-based buffer overflow in lossless JPEG loading CVEs CVE-2026-21413 CVE-2026-24450 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 9 SRPM LibRaw-0.21.1-2.el9_7.src.rpm SHA-256: bb580185f6ad24d84a6d9cf56ad0e2f9527dae056234f267fb7ff1f7bd5a8308 x86_64 LibRaw-0.21.1-2.el9_7.i686.rpm SHA-256: b48b0db3789681f2f7e3bd9b85be0227b077d4dba76ebd1a88b3c023985f480d LibRaw-0.21.1-2.el9_7.x86_64.rpm SHA-256: bccb46c2252c9e25dbafc2b3878ebd715fc85d5c35f29cc09d62d335a9ff961a LibRaw-debuginfo-0.21.1-2.el9_7.i686.rpm SHA-256: e0a75b70ed2ba372d70dfcd1457c85578dcb17fb9cf847c72433e72538e83a6c LibRaw-debuginfo-0.21.1-2.el9_7.x86_64.rpm SHA-256: 5ff51579dce85411c0cc2fc280a50e4e61eeb2a56179bb26679f6d4a6c91fe1c LibRaw-debugsource-0.21.1-2.el9_7.i686.rpm SHA-256: 5dccc9e9eba86f5d8d536c688326fa280f621e8ccf4bac3d8b5ebf5da11079a2 LibRaw-debugsource-0.21.1-2.el9_7.x86_64.rpm SHA-256: a408ede65d15affe8fe06d86058305992ac079d54605f1593ac6cdf2680ff9b9 LibRaw-samples-debuginfo-0.21.1-2.el9_7.i686.rpm SHA-256: 0b4fc96cacc86e3b0428dbc4ac550c5429a7887e2bf5b2c1aff1c2ca5ad4f120 LibRaw-samples-debuginfo-0.21.1-2.el9_7.x86_64.rpm SHA-256: 0e337bd3fac907397aaefac63254fd2dacb0968064e53eb258b87799d03ca869 Red Hat Enterprise Linux for IBM z Systems 9 SRPM LibRaw-0.21.1-2.el9_7.src.rpm SHA-256: bb580185f6ad24d84a6d9cf56ad0e2f9527dae056234f267fb7ff1f7bd5a8308 s390x LibRaw-0.21.1-2.el9_7.s390x.rpm SHA-256: b4b8acd14af07b00c462b279f23c810fcbc1a8d7279496d5d70727d73100e7a3 LibRaw-debuginfo-0.21.1-2.el9_7.s390x.rpm SHA-256: 87b9db7f82ebcdacfd82a834f1dce6b77dedb4ba3cb7b3cfe8620a5c5de4dea5 LibRaw-debugsource-0.21.1-2.el9_7.s390x.rpm SHA-256: 9c2ed8fa34eb7ee683f71ae84b3cabf9e88cab644c1bed387d381536479696b1 LibRaw-samples-debuginfo-0.21.1-2.el9_7.s390x.rpm SHA-256: 6f8f638336059b4c745a2a8d1eeba269f05ba3da11adfe1cbe6b804eda76398c Red Hat Enterprise Linux for Power, little endian 9 SRPM LibRaw-0.21.1-2.el9_7.src.rpm SHA-256: bb580185f6ad24d84a6d9cf56ad0e2f9527dae056234f267fb7ff1f7bd5a8308 ppc64le LibRaw-0.21.1-2.el9_7.ppc64le.rpm SHA-256: 8d012da83014d769749d8440122fb002839c499bd20a538d98c79c328f4d61f6 LibRaw-debuginfo-0.21.1-2.el9_7.ppc64le.rpm SHA-256: e9685471872065ef6d14e4c7dc7c56103d14220c39b468b8ff2575756bb746ed LibRaw-debugsource-0.21.1-2.el9_7.ppc64le.rpm SHA-256: badb3388f8cc6ddc31bba8b649b24092e257e4cf9334977523a720f5bb6723c7 LibRaw-samples-debuginfo-0.21.1-2.el9_7.ppc64le.rpm SHA-256: daaea3a8e50d1387047eb3b553fc8a4951f49a90a0510d938f7ace5db532c0c3 Red Hat Enterprise Linux for ARM 64 9 SRPM LibRaw-0.21.1-2.el9_7.src.rpm SHA-256: bb580185f6ad24d84a6d9cf56ad0e2f9527dae056234f267fb7ff1f7bd5a8308 aarch64 LibRaw-0.21.1-2.el9_7.aarch64.rpm SHA-256: d563107db0124675602829d8ce7b9e10defbeec3095159427582adf0bfbea75d LibRaw-debuginfo-0.21.1-2.el9_7.aarch64.rpm SHA-256: 712d1a15ff889b4d0f00c043c9f8c67ae741ba671e1bd0a557bc8b506275f5e6 LibRaw-debugsource-0.21.1-2.el9_7.aarch64.rpm SHA-256: 8708e15a5838a1916d83df2ccefc55c4d4e141d969a8a3d716d519d0a7f8b4ee LibRaw-samples-debuginfo-0.21.1-2.el9_7.aarch64.rpm SHA-256: 0d1198668a02c1d65466b4fdc262a2faafe668bca4211f7b7c9799019e425cc9 Red Hat CodeReady Linux Builder for x86_64 9 SRPM x86_64 LibRaw-debuginfo-0.21.1-2.el9_7.i686.rpm SHA-256: e0a75b70ed2ba372d70dfcd1457c85578dcb17fb9cf847c72433e72538e83a6c LibRaw-debuginfo-0.21.1-2.el9_7.x86_64.rpm SHA-256: 5ff51579dce85411c0cc2fc280a50e4e61eeb2a56179bb26679f6d4a6c91fe1c LibRaw-debugsource-0.21.1-2.el9_7.i686.rpm SHA-256: 5dccc9e9eba86f5d8d536c688326fa280f621e8ccf4bac3d8b5ebf5da11079a2 LibRaw-debugsource-0.21.1-2.el9_7.x86_64.rpm SHA-256: a408ede65d15affe8fe06d86058305992ac079d54605f1593ac6cdf2680ff9b9 LibRaw-devel-0.21.1-2.el9_7.i686.rpm SHA-256: 14b2e4843e8e45ca5427208aff580887bcb69f85f60310ea550a1332c2b7daa2 LibRaw-devel-0.21.1-2.el9_7.x86_64.rpm SHA-256: ffdd712f3a8749d11543832c3a3193db161c7b0eaaf1a1bcc304650b7e209b78 LibRaw-samples-debuginfo-0.21.1-2.el9_7.i686.rpm SHA-256: 0b4fc96cacc86e3b0428dbc4ac550c5429a7887e2bf5b2c1aff1c2ca5ad4f120 LibRaw-samples-debuginfo-0.21.1-2.el9_7.x86_64.rpm SHA-256: 0e337bd3fac907397aaefac63254fd2dacb0968064e53eb258b87799d03ca869 Red Hat CodeReady Linux Builder for Power, little endian 9 SRPM ppc64le LibRaw-debuginfo-0.21.1-2.el9_7.ppc64le.rpm SHA-256: e9685471872065ef6d14e4c7dc7c56103d14220c39b468b8ff2575756bb746ed LibRaw-debugsource-0.21.1-2.el9_7.ppc64le.rpm SHA-256: badb3388f8cc6ddc31bba8b649b24092e257e4cf9334977523a720f5bb6723c7 LibRaw-devel-0.21.1-2.el9_7.ppc64le.rpm SHA-256: 7710ee5751f95d2f19e93d08591be927697c06531aa478902a60a674066e4d29 LibRaw-samples-debuginfo-0.21.1-2.el9_7.ppc64le.rpm SHA-256: daaea3a8e50d1387047eb3b553fc8a4951f49a90a0510d938f7ace5db532c0c3 The Red Hat security contact is secalert@redhat.com . More contact details at https://access.redhat.com/security/team/contact/ .