CVE-2026-1837
8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
A specially-crafted file can cause libjxl's decoder to write pixel data to uninitialized unallocated memory. Soon after that data from another uninitialized unallocated region is copied to pixel data.
This can be done by requesting color transformation of grayscale images to another grayscale color space. Buffers allocated for 1-float-per-pixel are used as if they are allocated for 3-float-per-pixel. That happens only if LCMS2 is used as CMS engine. There is another CMS engine available (selected by build flags).
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| libjxl | 0.9 <= 0.11.1 | affected |
Weaknesses
- CWE-805: CWE-805
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
Additional References
libjxl: libjxl: Out-of-bounds write in grayscale color transformation when using LCMS2
Additional References
- https://access.redhat.com/security/cve/CVE-2026-1837
- https://bugzilla.redhat.com/show_bug.cgi?id=2438974
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-1837.json
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.