TALOS-2026-2363: LibRaw Integer Overflow Leading to Heap Buffer Overflow (CVE-2026-24450)

Talos Vulnerability Report Summary (TALOS-2026-2363) Vulnerability Overview CVE ID: CVE-2026-24450 Vulnerability Name: LibRaw uncompressed_fp_dng_load_raw integer overflow vulnerability Vulnerability Type: Integer Overflow leading to Heap Buffer Overflow CVSS Score: 8.1 (High) Description: An integer overflow vulnerability exists within the function. An attacker can trigger this vulnerability by providing a crafted malicious file, resulting in a heap buffer overflow. Note: This vulnerability is not exploitable under the default setting (2048 MB) because this limit rejects dimensions that would trigger the overflow. The application becomes vulnerable if this limit is increased. Scope of Impact Affected Versions: LibRaw Commit 8dc69e2 Technical Details and POC Code The vulnerability occurs within the function in the file. Key Code Snippet (Vulnerable Code): Vulnerability Analysis: 1. Line [1]: The code correctly uses casting to calculate the required buffer size ( ). 2. Line [2]: The memory check also correctly uses 64-bit arithmetic. 3. Line [3] (Vulnerability Point): When actually allocating memory, the first argument to uses 32-bit arithmetic multiplication ( ) without an cast. An overflow occurs when the product exceeds , resulting in an allocated buffer that is far smaller than the actual space required. 4. Lines [4] and [5]: Index calculations also use 32-bit arithmetic, causing write operations to exceed the boundaries of the allocated buffer, triggering a heap buffer overflow. Exploitation Example:** When using , , and , the expected size is approximately 4.2 billion elements, which exceeds the maximum value of . This results in an allocation of approximately 284 KB, while the program attempts to write approximately 256 MB of data, thereby triggering the overflow. Remediation Fix the arithmetic operations in the call (Line [3]) to ensure all multiplication operations use 64-bit integers ( ) to prevent overflow. Additionally, ensure that subsequent memory access (Lines [4] and [5]) index calculations also use 64-bit arithmetic.

Goal Reached Thanks to every supporter — we hit 100%!

TALOS-2026-2363: LibRaw Integer Overflow Leading to Heap Buffer Overflow (CVE-2026-24450)