Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
JPIP server path is network-reachable with no auth or user interaction (AV:N/PR:N/UI:N/AC:L); confirmed heap info leak gives C:H and OOB heap write supports I:H/A:H, matching the published base score.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
Buffer Overflow vulnerability in OpenHTJ2K v.0.18.4 and before allows an attacker to execute arbitrary code via the openhtj2k_decoder_impl::invoke, invoke_line_based, invoke_line_based_stream, and invoke_line_based_predecoded function in source/core/interface/decoder.cpp
AnalysisAI
Heap out-of-bounds read/write in OpenHTJ2K (High-Throughput JPEG 2000 reference codec) v0.18.4 and earlier lets an attacker corrupt heap memory by supplying a crafted J2K/JP2 codestream, with a confirmed heap information-leak primitive and vendor-claimed arbitrary code execution. The flaw is reached through every decoder entry point (invoke, invoke_line_based, invoke_line_based_stream, invoke_line_based_predecoded) and, notably, through a JPIP server's startup codestream load, making it network-reachable without user interaction. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The target must process attacker-controlled JPEG 2000 (J2K/JP2) content with OpenHTJ2K v0.18.4 or earlier - either by calling any decoder entry point (invoke, invoke_line_based, invoke_line_based_stream, invoke_line_based_predecoded) or by running a JPIP server that loads the crafted codestream at startup via PacketLocator::build. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N, C:H/I:H/A:H, base 9.8) implies trivial remote unauthenticated compromise, which holds for the JPIP server path where the codestream is loaded at startup/without user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malformed JPEG 2000 codestream containing an SOT marker whose Isot tile index exceeds the actual tile count, then delivers it to a target running a JPIP server (loaded at startup, no user interaction) or to any application that decodes the file with OpenHTJ2K. Because AC is low, the malformed index passes unchecked into add_tile_part(), producing a heap out-of-bounds read/write; against a JPIP server the attacker can retrieve leaked heap pointers through later tile-header data-bin responses. … |
| Remediation | Vendor-released patch: v0.18.5 - upgrade to OpenHTJ2K v0.18.5 or later (release https://github.com/osamu620/OpenHTJ2K/releases/tag/v0.18.5, fix in PR https://github.com/osamu620/OpenHTJ2K/pull/320), which adds a bounds check rejecting SOT tile indices where Isot >= numTiles and throws before any write through the offending pointer. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, inventory all systems running OpenHTJ2K v0.18.4 and earlier; disable or isolate JPEG 2000 decoding services, particularly JPIP servers, from untrusted network segments. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-120 – Classic Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44581
GHSA-rqpx-m8w5-7hj9