This security update addresses three critical vulnerabilities in LibRaw (CVE-2026-20889 & CVE-2026-21413, CVSS 9.8; CVE-2026-24660, CVSS 8.1) enabling arbitrary code execution or memory corruption via maliciously crafted RAW image files. The affected version is libraw 0.22.0, with CVE-2026-21413 also affecting version 0.22.1. Red Hat has released patched packages for Red Hat Enterprise Linux 8, and users must apply the update to mitigate these risks.
Red Hat Product Errata RHSA-2026:13284 - Security Advisory Issued: 2026-05-04 Updated: 2026-05-04 RHSA-2026:13284 - Security Advisory Overview Updated Packages Synopsis Important: LibRaw security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for LibRaw is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description LibRaw is a library for reading RAW files obtained from digital photo cameras (CRW/CR2, NEF, RAF, DNG, and others). Security Fix(es): LibRaw: LibRaw: Memory Corruption via Malicious File Processing (CVE-2026-24660) LibRaw: LibRaw: Arbitrary code execution via heap-based buffer overflow in lossless JPEG loading (CVE-2026-21413) LibRaw: LibRaw: Arbitrary code execution via specially crafted image file (CVE-2026-20889) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 8 x86_64 Red Hat Enterprise Linux for Power, little endian 8 ppc64le Red Hat CodeReady Linux Builder for x86_64 8 x86_64 Red Hat CodeReady Linux Builder for Power, little endian 8 ppc64le Red Hat Enterprise Linux for x86_64 - Extended Life Cycle 8.10 x86_64 Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle 8.10 ppc64le Fixes BZ - 2455926 - CVE-2026-24660 LibRaw: LibRaw: Memory Corruption via Malicious File Processing BZ - 2455929 - CVE-2026-21413 LibRaw: LibRaw: Arbitrary code execution via heap-based buffer overflow in lossless JPEG loading BZ - 2455942 - CVE-2026-20889 LibRaw: LibRaw: Arbitrary code execution via specially crafted image file CVEs CVE-2026-20889 CVE-2026-21413 CVE-2026-24660 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 8 SRPM LibRaw-0.19.5-6.el8_10.src.rpm SHA-256: d235eaccaca269b2e2909e8d63030b935111d85b083ec48b32e28ced2dd55e3e x86_64 LibRaw-0.19.5-6.el8_10.i686.rpm SHA-256: 0dac0c5736662928cf9923532bfd68af0a174e9208954f132b77da7f673f0917 LibRaw-0.19.5-6.el8_10.x86_64.rpm SHA-256: c9f0698559e5a6e617257286ac38d94c5e918a22588b6b34d5b53fd8e94d23ea LibRaw-debuginfo-0.19.5-6.el8_10.i686.rpm SHA-256: 8812505e6741ca51d497a02448cdf6e49ce36e63bf658f55653ba0bf400f0744 LibRaw-debuginfo-0.19.5-6.el8_10.x86_64.rpm SHA-256: 60aa414ff50a1a47318b4a3b9525296ec848306b1638d1795e9eb37d280a9c89 LibRaw-debugsource-0.19.5-6.el8_10.i686.rpm SHA-256: 1c0ef57fcc1a1cc8ea85b0e15c4306f142ba053ee71108de2837412729d3b7e9 LibRaw-debugsource-0.19.5-6.el8_10.x86_64.rpm SHA-256: 5b248c1136f21a0f6d5244cc671be57ec87a5298f21a3f08a7ffe2f5f9a4dbe2 LibRaw-samples-debuginfo-0.19.5-6.el8_10.i686.rpm SHA-256: fc112dcdf7d8ee153fad15ade0d78a39ef50ced582d1e28bb903bd74d4d9a85d LibRaw-samples-debuginfo-0.19.5-6.el8_10.x86_64.rpm SHA-256: e9e6fb7d6891934bdf17bcd4ad3f6489c21062c75bf3c1de0bcfc5cbdb8d0e8d Red Hat Enterprise Linux for Power, little endian 8 SRPM LibRaw-0.19.5-6.el8_10.src.rpm SHA-256: d235eaccaca269b2e2909e8d63030b935111d85b083ec48b32e28ced2dd55e3e ppc64le LibRaw-0.19.5-6.el8_10.ppc64le.rpm SHA-256: feb1e078d9618a86a544771da56f653c1665bc2a23ab1a7518fa650cbca175c3 LibRaw-debuginfo-0.19.5-6.el8_10.ppc64le.rpm SHA-256: d34c74297bda1dfc47f5ce89a77dbade2b8a127fe5bc28c5bf42886db47d1ba1 LibRaw-debugsource-0.19.5-6.el8_10.ppc64le.rpm SHA-256: 33888540c6e8aad3f2035818dfe86a7de1e2d510717cd0b1b68b43964929b569 LibRaw-samples-debuginfo-0.19.5-6.el8_10.ppc64le.rpm SHA-256: 573bbb89c564d0feb09b3529a5b01148be61e5ed41b05d802ccd22d36e77ab88 Red Hat CodeReady Linux Builder for x86_64 8 SRPM x86_64 LibRaw-debuginfo-0.19.5-6.el8_10.i686.rpm SHA-256: 8812505e6741ca51d497a02448cdf6e49ce36e63bf658f55653ba0bf400f0744 LibRaw-debuginfo-0.19.5-6.el8_10.x86_64.rpm SHA-256: 60aa414ff50a1a47318b4a3b9525296ec848306b1638d1795e9eb37d280a9c89 LibRaw-debugsource-0.19.5-6.el8_10.i686.rpm SHA-256: 1c0ef57fcc1a1cc8ea85b0e15c4306f142ba053ee71108de2837412729d3b7e9 LibRaw-debugsource-0.19.5-6.el8_10.x86_64.rpm SHA-256: 5b248c1136f21a0f6d5244cc671be57ec87a5298f21a3f08a7ffe2f5f9a4dbe2 LibRaw-devel-0.19.5-6.el8_10.i686.rpm SHA-256: bfa865dd0feaafdcf6c0cb66dd4d8818195fe1d6f049e8cb5a0880bc6bbf1fad LibRaw-devel-0.19.5-6.el8_10.x86_64.rpm SHA-256: 24d88bbfcea5c933f7023cbcd1aeabada38f36e5ae582a978cccaab26533f760 LibRaw-samples-debuginfo-0.19.5-6.el8_10.i686.rpm SHA-256: fc112dcdf7d8ee153fad15ade0d78a39ef50ced582d1e28bb903bd74d4d9a85d LibRaw-samples-debuginfo-0.19.5-6.el8_10.x86_64.rpm SHA-256: e9e6fb7d6891934bdf17bcd4ad3f6489c21062c75bf3c1de0bcfc5cbdb8d0e8d Red Hat CodeReady Linux Builder for Power, little endian 8 SRPM ppc64le LibRaw-debuginfo-0.19.5-6.el8_10.ppc64le.rpm SHA-256: d34c74297bda1dfc47f5ce89a77dbade2b8a127fe5bc28c5bf42886db47d1ba1 LibRaw-debugsource-0.19.5-6.el8_10.ppc64le.rpm SHA-256: 33888540c6e8aad3f2035818dfe86a7de1e2d510717cd0b1b68b43964929b569 LibRaw-devel-0.19.5-6.el8_10.ppc64le.rpm SHA-256: b4c0fa25caf2639fb5f19555babee9e0ef727f41152de82d856256e04cbc58c4 LibRaw-samples-debuginfo-0.19.5-6.el8_10.ppc64le.rpm SHA-256: 573bbb89c564d0feb09b3529a5b01148be61e5ed41b05d802ccd22d36e77ab88 Red Hat Enterprise Linux for x86_64 - Extended Life Cycle 8.10 SRPM LibRaw-0.19.5-6.el8_10.src.rpm SHA-256: d235eaccaca269b2e2909e8d63030b935111d85b083ec48b32e28ced2dd55e3e x86_64 LibRaw-0.19.5-6.el8_10.i686.rpm SHA-256: 0dac0c5736662928cf9923532bfd68af0a174e9208954f132b77da7f673f0917 LibRaw-0.19.5-6.el8_10.x86_64.rpm SHA-256: c9f0698559e5a6e617257286ac38d94c5e918a22588b6b34d5b53fd8e94d23ea LibRaw-debuginfo-0.19.5-6.el8_10.i686.rpm SHA-256: 8812505e6741ca51d497a02448cdf6e49ce36e63bf658f55653ba0bf400f0744 LibRaw-debuginfo-0.19.5-6.el8_10.x86_64.rpm SHA-256: 60aa414ff50a1a47318b4a3b9525296ec848306b1638d1795e9eb37d280a9c89 LibRaw-debugsource-0.19.5-6.el8_10.i686.rpm SHA-256: 1c0ef57fcc1a1cc8ea85b0e15c4306f142ba053ee71108de2837412729d3b7e9 LibRaw-debugsource-0.19.5-6.el8_10.x86_64.rpm SHA-256: 5b248c1136f21a0f6d5244cc671be57ec87a5298f21a3f08a7ffe2f5f9a4dbe2 LibRaw-samples-debuginfo-0.19.5-6.el8_10.i686.rpm SHA-256: fc112dcdf7d8ee153fad15ade0d78a39ef50ced582d1e28bb903bd74d4d9a85d LibRaw-samples-debuginfo-0.19.5-6.el8_10.x86_64.rpm SHA-256: e9e6fb7d6891934bdf17bcd4ad3f6489c21062c75bf3c1de0bcfc5cbdb8d0e8d Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle 8.10 SRPM LibRaw-0.19.5-6.el8_10.src.rpm SHA-256: d235eaccaca269b2e2909e8d63030b935111d85b083ec48b32e28ced2dd55e3e ppc64le LibRaw-0.19.5-6.el8_10.ppc64le.rpm SHA-256: feb1e078d9618a86a544771da56f653c1665bc2a23ab1a7518fa650cbca175c3 LibRaw-debuginfo-0.19.5-6.el8_10.ppc64le.rpm SHA-256: d34c74297bda1dfc47f5ce89a77dbade2b8a127fe5bc28c5bf42886db47d1ba1 LibRaw-debugsource-0.19.5-6.el8_10.ppc64le.rpm SHA-256: 33888540c6e8aad3f2035818dfe86a7de1e2d510717cd0b1b68b43964929b569 LibRaw-samples-debuginfo-0.19.5-6.el8_10.ppc64le.rpm SHA-256: 573bbb89c564d0feb09b3529a5b01148be61e5ed41b05d802ccd22d36e77ab88 The Red Hat security contact is secalert@redhat.com . More contact details at https://access.redhat.com/security/team/contact/ .