CVE-2026-21413

CriticalPublic PoC

Published: 07 April 2026

Published

07 April 2026

Modified

10 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0006 18.0th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21413 is a critical-severity Improper Validation of Array Index (CWE-129) vulnerability in Libraw Libraw. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 18.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires timely remediation of identified software flaws, such as patching the heap buffer overflow in LibRaw's lossless_jpeg_load_raw function at vulnerable commits.

SI-10 Information Input Validation partial match

prevent

Requires validation of information inputs like specially crafted RAW image files to address improper array index validation leading to the buffer overflow.

SI-16 Memory Protection partial match

prevent

Implements memory protection mechanisms that mitigate exploitation of heap buffer overflows by complicating arbitrary code execution from memory corruption.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

Heap buffer overflow in client-side image library (LibRaw) directly enables client application exploitation via malicious file for RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A heap-based buffer overflow vulnerability exists in the lossless_jpeg_load_raw functionality of LibRaw Commit 0b56545 and Commit d20315b. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.

Deeper analysisAI

A heap-based buffer overflow vulnerability, designated CVE-2026-21413, affects the lossless_jpeg_load_raw functionality in LibRaw at Commit 0b56545 and Commit d20315b. This flaw arises from improper validation of array indices (CWE-129), allowing a specially crafted malicious file to trigger a heap buffer overflow when processed by the library. LibRaw is a widely used open-source library for reading RAW image files, commonly integrated into image processing applications, photo editors, and camera software.

The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable remotely with low complexity, no privileges or user interaction required. An attacker can supply a malicious file to any application or system that uses the affected LibRaw commits for RAW image decoding, potentially leading to arbitrary code execution, data corruption, or denial of service through heap memory corruption.

Mitigation details are provided in the Talos Intelligence advisory TALOS-2026-2331, accessible at https://talosintelligence.com/vulnerability_reports/TALOS-2026-2331 and https://www.talosintelligence.com/vulnerability_reports/TALOS-2026-2331. Security practitioners should consult these reports for patching guidance, updated commits, or workarounds specific to LibRaw integrations.