An error within the "LibRaw::unpack()" function (src/libraw_cxx.cpp) in LibRaw versions prior to 0.18.7 can be exploited to trigger a NULL pointer dereference.
Conclusion & alert: CVE-2018-5801 is rated Moderate Risk (54/100): CVSS Medium severity, with medium exploitation likelihood (EPSS 2.04%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 1.53% | 2.04% | +0.51% |
| 2 | 2026-04-13 | 1.11% | 1.53% | +0.42% |
| 3 | 2026-01-22 | — | 1.11% | — |
Full EPSS history (23 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 6.5 | 3.0 | MEDIUM |
|
2.8 | 3.6 | [email protected] |
| 4.3 | 2.0 | MEDIUM |
|
8.6 | 2.9 | [email protected] |
| vendor | priority | summary | link |
|---|---|---|---|
alpine
|
medium | CVE-2018-5801: 1 source package rows (libraw); 4 state rows across 2 repos (3.22-community, edge-community); fixed 0, open 4. | https://security.alpinelinux.org/vuln/CVE-2018-5801 |
debian
|
not yet assigned | CVE-2018-5801 not yet assigned priority: Debian including 1 source packages (libraw), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. | https://security-tracker.debian.org/tracker/CVE-2018-5801 |
redhat
|
low | — | https://access.redhat.com/security/cve/CVE-2018-5801 |
suse
|
low | CVE-2018-5801 severity low: SUSE including 13 source package names (dcraw-9.28.0-1.6, dcraw-9.28.0-150000.3.3.1, …), 36 product×package rows across 19 product lines (SUSE Liberty Linux 7, SUSE Linux Enterprise Desktop 12 SP3, … (19 product lines)): Fixed 36. | https://www.suse.com/security/cve/CVE-2018-5801/ |
ubuntu
|
medium | CVE-2018-5801 medium priority: Ubuntu including 8 source packages (darktable, dcraw, …), 160 status rows across 20 suites (artful, bionic, cosmic, disco, eoan, focal, groovy, hirsute, impish, jammy, kinetic, lunar, mantic, noble, oracular, plucky, questing, trusty, upstream, xenial): ignored 80, DNE 38, needs-triage 22, not-affected 16, released 4. | https://ubuntu.com/security/CVE-2018-5801 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| libraw | libraw | < 0.18.7 | cpe:2.3:a:libraw:libraw:*:*:*:*:*:*:*:* |
| redhat | enterprise_linux_desktop | 7.0 | cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:* |
| redhat | enterprise_linux_server | 7.0 | cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:* |
| redhat | enterprise_linux_workstation | 7.0 | cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:* |
| canonical | ubuntu_linux | 14.04 | cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:* |
| canonical | ubuntu_linux | 16.04 | cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:* |
| canonical | ubuntu_linux | 17.10 | cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:* |
| debian | debian_linux | 8.0 | cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| https://access.redhat.com/errata/RHSA-2018:3065 | Third Party Advisory |
| https://github.com/LibRaw/LibRaw/blob/master/Changelog.txt | Release Notes |
| https://github.com/LibRaw/LibRaw/commit/0df5490b985c419de008d32168650bff17128914 | Patch |
| https://lists.debian.org/debian-lts-announce/2019/03/msg00036.html | Mailing List Third Party Advisory |
| https://secuniaresearch.flexerasoftware.com/advisories/79000/ | Third Party Advisory |
| https://secuniaresearch.flexerasoftware.com/secunia_research/2018-1/ | Third Party Advisory |
| https://usn.ubuntu.com/3615-1/ | Third Party Advisory |