An update for LibRaw is now available for openEuler-22.03-LTS-SP4 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2026-2738 Final 1.0 1.0 2026-06-24 Initial 2026-06-24 2026-06-24 openEuler SA Tool V1.0 2026-06-24 LibRaw security update An update for LibRaw is now available for openEuler-22.03-LTS-SP4 LibRaw is a library for reading RAW files from digital photo cameras (CRW/CR2, NEF, RAF, etc, virtually all RAW formats are supported).It pays special attention to correct retrieval of data required for subsequent RAW conversion.The library is intended for embedding in RAW converters, data analyzers, and other programs using RAW files as the initial data. Security Fix(es): An integer overflow vulnerability exists in the deflate_dng_load_raw functionality of LibRaw. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.(CVE-2026-20884) A heap-based buffer overflow vulnerability exists in the x3f_thumb_loader functionality of LibRaw. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.(CVE-2026-20889) A heap-based buffer overflow vulnerability exists in the HuffTable::initval functionality of LibRaw. A specially crafted malicious file can lead to a heap buffer overflow, causing memory corruption. This vulnerability affects specific commit versions.(CVE-2026-20911) A heap-based buffer overflow vulnerability exists in the lossless_jpeg_load_raw functionality of LibRaw. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.(CVE-2026-21413) A heap-based buffer overflow vulnerability exists in the x3f_load_huffman functionality of LibRaw. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.(CVE-2026-24660) A flaw has been found in LibRaw up to 0.22.0. This affects the function LibRaw::nikon_load_padded_packed_raw of the file src/decoders/decoders_libraw.cpp of the component TIFF/NEF. Executing a manipulation of the argument load_flags/raw_width can lead to out-of-bounds read. It is possible to launch the attack remotely. The exploit has been published and may be used. Upgrading to version 0.22.1 mitigates this issue. This patch is called b8397cd45657b84e88bd1202528d1764265f185c. It is advisable to upgrade the affected component.(CVE-2026-5342) An update for LibRaw is now available for master/openEuler-20.03-LTS-SP4/openEuler-22.03-LTS-SP4/openEuler-24.03-LTS/openEuler-24.03-LTS-Next/openEuler-24.03-LTS-SP1/openEuler-24.03-LTS-SP2/openEuler-24.03-LTS-SP3/openEuler-24.03-LTS-SP4. openEuler Security has rated this update as having a security impact of critical. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Critical LibRaw https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2738 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-20884 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-20889 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-20911 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-21413 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-24660 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-5342 https://nvd.nist.gov/vuln/detail/CVE-2026-20884 https://nvd.nist.gov/vuln/detail/CVE-2026-20889 https://nvd.nist.gov/vuln/detail/CVE-2026-20911 https://nvd.nist.gov/vuln/detail/CVE-2026-21413 https://nvd.nist.gov/vuln/detail/CVE-2026-24660 https://nvd.nist.gov/vuln/detail/CVE-2026-5342 openEuler-22.03-LTS-SP4 LibRaw-0.20.2-10.oe2203sp4.src.rpm LibRaw-0.20.2-10.oe2203sp4.x86_64.rpm LibRaw-debuginfo-0.20.2-10.oe2203sp4.x86_64.rpm LibRaw-debugsource-0.20.2-10.oe2203sp4.x86_64.rpm LibRaw-devel-0.20.2-10.oe2203sp4.x86_64.rpm LibRaw-0.20.2-10.oe2203sp4.aarch64.rpm LibRaw-debuginfo-0.20.2-10.oe2203sp4.aarch64.rpm LibRaw-debugsource-0.20.2-10.oe2203sp4.aarch64.rpm LibRaw-devel-0.20.2-10.oe2203sp4.aarch64.rpm An integer overflow vulnerability exists in the deflate_dng_load_raw functionality of LibRaw. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability. 2026-06-24 CVE-2026-20884 openEuler-22.03-LTS-SP4 High 8.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H LibRaw security update 2026-06-24 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2738 A heap-based buffer overflow vulnerability exists in the x3f_thumb_loader functionality of LibRaw. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability. 2026-06-24 CVE-2026-20889 openEuler-22.03-LTS-SP4 Critical 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H LibRaw security update 2026-06-24 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2738 A heap-based buffer overflow vulnerability exists in the HuffTable::initval functionality of LibRaw. A specially crafted malicious file can lead to a heap buffer overflow, causing memory corruption. This vulnerability affects specific commit versions. 2026-06-24 CVE-2026-20911 openEuler-22.03-LTS-SP4 Critical 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H LibRaw security update 2026-06-24 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2738 A heap-based buffer overflow vulnerability exists in the lossless_jpeg_load_raw functionality of LibRaw. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability. 2026-06-24 CVE-2026-21413 openEuler-22.03-LTS-SP4 Critical 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H LibRaw security update 2026-06-24 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2738 A heap-based buffer overflow vulnerability exists in the x3f_load_huffman functionality of LibRaw. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability. 2026-06-24 CVE-2026-24660 openEuler-22.03-LTS-SP4 High 8.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H LibRaw security update 2026-06-24 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2738 A flaw has been found in LibRaw up to 0.22.0. This affects the function LibRaw::nikon_load_padded_packed_raw of the file src/decoders/decoders_libraw.cpp of the component TIFF/NEF. Executing a manipulation of the argument load_flags/raw_width can lead to out-of-bounds read. It is possible to launch the attack remotely. The exploit has been published and may be used. Upgrading to version 0.22.1 mitigates this issue. This patch is called b8397cd45657b84e88bd1202528d1764265f185c. It is advisable to upgrade the affected component. 2026-06-24 CVE-2026-5342 openEuler-22.03-LTS-SP4 Medium 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L LibRaw security update 2026-06-24 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2738