CVE-2015-3885

Integer overflow in the ljpeg_start function in dcraw 7.00 and earlier allows remote attackers to cause a denial of service (crash) via a crafted image, which triggers a buffer overflow, related to the len variable.

Published: 2015-05-19 Last update: 2026-05-06 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2015-3885 is rated Moderate Risk (46.9/100): CVSS Medium severity, with medium exploitation likelihood (EPSS 4.73%). Review affected assets and schedule remediation.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2015-3885

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-07 6.39% 4.73% -1.66%
2 2026-06-06 3.56% 6.39% +2.83%
3 2025-10-17 3.56%

Full EPSS history (13 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2015-3885

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
4.3 2.0 MEDIUM
AV:N/AC:M/Au:N/C:N/I:N/A:P Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:M)
Exploitation needs some favorable conditions, but not exceptional ones.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:N)
No confidentiality impact.
Integrity impact (I:N)
No integrity impact.
Availability impact (A:P)
Partial availability impact.
 8.6 2.9 [email protected]

Weakness enumeration for CVE-2015-3885

OS Trackers for CVE-2015-3885

vendor priority summary link
debian not yet assigned CVE-2015-3885 not yet assigned priority: Debian including 7 source packages (darktable, dcraw, …), 35 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 35. https://security-tracker.debian.org/tracker/CVE-2015-3885
gentoo normal CVE-2015-3885: 3 GLSA(s) (201701-54, 201701-60, 201706-17), 3 atom(s) (media-gfx/dcraw, media-libs/libraw, media-tv/kodi); latest impact normal. https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2015-3885
redhat low https://access.redhat.com/security/cve/CVE-2015-3885
suse low CVE-2015-3885 severity low: SUSE including 23 source package names (darktable-2.0.7-1.1, darktable-doc-2.0.7-1.1, …), 99 product×package rows across 45 product lines (SUSE CaaS Platform 4.5, SUSE Enterprise Storage 7, … (45 product lines)): Known Not Affected 75, Fixed 24. https://www.suse.com/security/cve/CVE-2015-3885/
ubuntu negligible CVE-2015-3885 negligible priority: Ubuntu including 10 source packages (darktable, dcraw, …), 260 status rows across 26 suites (artful, bionic, cosmic, disco, eoan, focal, groovy, hirsute, impish, jammy, kinetic, lunar, mantic, noble, oracular, plucky, precise, questing, trusty, upstream, utopic, vivid, wily, xenial, yakkety, zesty): not-affected 130, DNE 67, ignored 48, released 10, needed 4, needs-triage 1. https://ubuntu.com/security/CVE-2015-3885

Affected software / configurations for CVE-2015-3885

Vendor Product Version Raw CPE
dcraw_project dcraw <= 7.00 cpe:2.3:a:dcraw_project:dcraw:*:*:*:*:*:*:*:*
fedoraproject fedora 21 cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*

References for CVE-2015-3885

URL Tags
http://lists.fedoraproject.org/pipermail/package-announce/2015-July/162084.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159469.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159479.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159518.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159579.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159625.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159665.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-May/159083.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-May/159123.html
http://www.ocert.org/advisories/ocert-2015-006.html US Government Resource
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
http://www.securityfocus.com/archive/1/535513/100/0/threaded
http://www.securityfocus.com/bid/74590
https://github.com/LibRaw/LibRaw/commit/4606c28f494a750892c5c1ac7903e62dd1c6fdb5
https://github.com/rawstudio/rawstudio/commit/983bda1f0fa5fa86884381208274198a620f006e
https://security.gentoo.org/glsa/201701-54
https://security.gentoo.org/glsa/201706-17
cvelogic Threat Intelligence