CVE-2026-24660

HighPublic PoC

Published: 07 April 2026

Published

07 April 2026

Modified

10 April 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0006 18.0th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24660 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Libraw Libraw. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

preventrecover

Directly requires identification, reporting, and timely remediation of software flaws such as the heap buffer overflow in LibRaw via patching or upgrades.

SI-16 Memory Protection good match

prevent

Implements memory protections like address space randomization and non-executable memory to prevent arbitrary code execution from heap buffer overflows triggered by malicious files.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Enables automated scanning to identify the presence of CVE-2026-24660 in LibRaw and dependent applications for prioritization of remediation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1204.002 Malicious File Execution

An adversary may rely upon a user opening a malicious file in order to gain execution.

attack.mitre.org →

Why these techniques?

Heap overflow in image parsing library enables RCE via malicious file supplied to apps/services (T1204.002); network attack vector without auth/UI supports exploitation of public-facing apps (T1190).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

A heap-based buffer overflow vulnerability exists in the x3f_load_huffman functionality of LibRaw Commit d20315b. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.

Deeper analysisAI

CVE-2026-24660 is a heap-based buffer overflow vulnerability in the x3f_load_huffman functionality of LibRaw at commit d20315b. This flaw affects LibRaw, an open-source library used for reading RAW image files from digital cameras, and can be triggered by processing a specially crafted malicious file.

The vulnerability has a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity with network vector, high attack complexity, no privileges or user interaction required, and significant impacts on confidentiality, integrity, and availability. An attacker can exploit it by supplying a malicious file to any application or service that uses the vulnerable LibRaw version, potentially leading to arbitrary code execution, data corruption, or denial of service via heap overflow.

Mitigation details and further technical analysis are available in the Talos Intelligence advisory (TALOS-2026-2359) at https://talosintelligence.com/vulnerability_reports/TALOS-2026-2359.