Detections
Analytics

Fedora 44 : ImageMagick / LibRaw / OpenImageIO / OpenImageIO2.5 / etc (2026-bef0050737)

medium Nessus Plugin ID 306255

Synopsis

The remote Fedora host is missing one or more security updates.

Description

The remote Fedora 44 host has packages installed that are affected by multiple vulnerabilities as referenced in the FEDORA-2026-bef0050737 advisory.

 LibRaw 0.22.1 and rebuilds

 ----

 Release 3.1.12.0 (Apr 1, 2026) -- compared to 3.1.11.0

 oiiotool: Better type understanding with -i:ch= and other cleanup #5056 texture: Fix texture overblur with st-blur parameters #5071 #5080 (by Pascal Lecocq) (3.1.12.0, 3.0.17.0) IBA: Handle offset data windows in fillholes_pushpull #5105 (3.1.12.0, 3.0.17.0) ImageInput: check_open fixes and new validity checks #5087 (3.1.12.0, 3.0.17.0) bmp: Use check_open to guard against corrupt resolutions #5086 (3.1.12.0, 3.0.17.0) heif: Fix invalid read writing 8-bit images with dimensions not a multiple of 64 #5095 (by Brecht Van Lommel) ico: Various validity checks and error handling for corruptions #5088 (3.1.12.0, 3.0.17.0) jpeg: Improved safety and error reporting for jpeg and iptc #5081 jpeg2000: Suppress leak when reading with OpenJPH #5098 psd: Fixes against corrupt files with better validation #5089 (3.1.12.0, 3.0.17.0) rla: Lots of additional validity checking and safety #5094 (3.1.12.0, 3.0.17.0) tiff: Support GPS fields, and other metadata enhancements #5050 tiff: Fix buffer overrun and improve error reporting #5082, fix wrong number of values passed to invert_photometric #5083, check for invalid bit depth in palette images #5091 ImageSpec: metadata_val improved safety #5096 (3.1.12.0, 3.0.17.0) fix: Fix UB-sanitizer warning about alignment #5097 fix: Catch exceptions in print-uncaught-messages destructor #5103 fix: Enhanced exception safety for our use of OpenColorIO #5114 fix: Fix possible fmt exceptions where we might have passed null string #5115 build: Test building with clang 22.1, fix warnings uncovered #5067 build: Improve security by pinning auto-build dependencies by hash #5076 build: Include idiff in the python wheels we build #5104 (3.1.12.0, 3.0.17.0) build(pybind11): Address new pybind11 float/int auto-conversion behavior #5058 build(win): Embed manifest in OIIO executables to enable long path handling #5066 (by Nathan Rusch) ci: Add CI test for MSVS 2026 #5060 (3.1.12.0, 3.0.17.0) ci: For security, replace workflow substitutions with safer env substitutions #5070 ci: Speed up slow benchmarks for debug and sanitizer CI tests #5077 ci: On Mac Intel CI variant, don't install openvdb, for speed #5065 (3.1.12.0, 3.0.17.0) ci: Bump GitHub Actions to latest versions #5078 #5110 #5119 ci: Fix broken Mac CI and wheel building by specifying full compiler paths #5100 #5101 (3.1.12.0, 3.0.17.0) ci: Update certificates to be able to install icc #5122 (3.1.12.0, 3.0.17.0) ci: Turn off nightly workflows for user forks #5042 tests: New ref outputs for tiff-misc, heif no-avif, and ffmpeg 8.1 cases #5075 #5079 #5099 #5112 docs: Update description for dwaCompressionLevel #5074 (by Aamir Raza) docs: Fix formatting examples for version macros #5073 docs: Keep TextureSystem docs in sync with ImageCache #5085 (3.1.12.0, 3.0.17.0) docs: Fix typos and incorrect attribute name in a comment #5093 (3.1.12.0, 3.0.17.0) docs: Fix misstatement about oiiotool --if #5102 (3.1.12.0, 3.0.17.0) admin: Draft policy on use of AI coding assistants #5072 (3.1.12.0, 3.0.17.0) ci: Freetype adjustments #4999

 ----

 Update to 5.1 (#2451401)

 ----

 Update to 5.0 (#2447841)

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://bodhi.fedoraproject.org/updates/FEDORA-2026-bef0050737

Plugin Details

Severity: Medium

ID: 306255

File Name: fedora_2026-bef0050737.nasl

Version: 1.2

Type: Local

Agent: unix

Published: 4/13/2026

Updated: 4/14/2026

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-20884

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 6.9

Threat Score: 2.7

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

CVSS Score Source: CVE-2026-5342

Vulnerability Information

CPE: p-cpe:/a:fedoraproject:fedora:photoqt, p-cpe:/a:fedoraproject:fedora:nomacs, p-cpe:/a:fedoraproject:fedora:swayimg, p-cpe:/a:fedoraproject:fedora:shotwell, p-cpe:/a:fedoraproject:fedora:openimageio, p-cpe:/a:fedoraproject:fedora:elementary-photos, p-cpe:/a:fedoraproject:fedora:kstars, p-cpe:/a:fedoraproject:fedora:libpasraw, p-cpe:/a:fedoraproject:fedora:dtk6gui, p-cpe:/a:fedoraproject:fedora:luminance-hdr, p-cpe:/a:fedoraproject:fedora:gthumb, p-cpe:/a:fedoraproject:fedora:rawtherapee, p-cpe:/a:fedoraproject:fedora:imagemagick, p-cpe:/a:fedoraproject:fedora:kf5-kimageformats, p-cpe:/a:fedoraproject:fedora:kf5-libkdcraw, p-cpe:/a:fedoraproject:fedora:vips, p-cpe:/a:fedoraproject:fedora:kf6-kimageformats, p-cpe:/a:fedoraproject:fedora:openimageio2.5, p-cpe:/a:fedoraproject:fedora:gegl04, p-cpe:/a:fedoraproject:fedora:geeqie, p-cpe:/a:fedoraproject:fedora:entangle, p-cpe:/a:fedoraproject:fedora:freeimage, cpe:/o:fedoraproject:fedora:44, p-cpe:/a:fedoraproject:fedora:siril, p-cpe:/a:fedoraproject:fedora:deepin-image-viewer, p-cpe:/a:fedoraproject:fedora:libraw, p-cpe:/a:fedoraproject:fedora:efl, p-cpe:/a:fedoraproject:fedora:dtkgui, p-cpe:/a:fedoraproject:fedora:libkdcraw

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 4/8/2026

Vulnerability Publication Date: 4/2/2026

Reference Information

CVE: CVE-2026-20884, CVE-2026-5318, CVE-2026-5342