Skip to main content

OpenHTJ2K CVE-2026-51808

| EUVDEUVD-2026-44581 CRITICAL
Classic Buffer Overflow (CWE-120)
2026-07-14 cve@mitre.org GHSA-rqpx-m8w5-7hj9
9.8
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

JPIP server path is network-reachable with no auth or user interaction (AV:N/PR:N/UI:N/AC:L); confirmed heap info leak gives C:H and OOB heap write supports I:H/A:H, matching the published base score.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Source Code Evidence Fetched
Jul 15, 2026 - 14:23 vuln.today
Analysis Generated
Jul 15, 2026 - 14:23 vuln.today
CVSS changed
Jul 15, 2026 - 14:22 NVD
9.8 (CRITICAL)
CVE Published
Jul 14, 2026 - 23:17 cve.org
CRITICAL 9.8
CVE Published
Jul 14, 2026 - 23:17 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Buffer Overflow vulnerability in OpenHTJ2K v.0.18.4 and before allows an attacker to execute arbitrary code via the openhtj2k_decoder_impl::invoke, invoke_line_based, invoke_line_based_stream, and invoke_line_based_predecoded function in source/core/interface/decoder.cpp

AnalysisAI

Heap out-of-bounds read/write in OpenHTJ2K (High-Throughput JPEG 2000 reference codec) v0.18.4 and earlier lets an attacker corrupt heap memory by supplying a crafted J2K/JP2 codestream, with a confirmed heap information-leak primitive and vendor-claimed arbitrary code execution. The flaw is reached through every decoder entry point (invoke, invoke_line_based, invoke_line_based_stream, invoke_line_based_predecoded) and, notably, through a JPIP server's startup codestream load, making it network-reachable without user interaction. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft J2K with out-of-range SOT Isot
Delivery
Deliver to JPIP server or decoder
Exploit
Unchecked tile_index in decoder.cpp
Execution
Heap OOB read/write in add_tile_part()
Persist
Leak heap pointers via JPIP data-bins
Impact
Memory corruption / claimed code execution

Vulnerability AssessmentAI

Exploitation The target must process attacker-controlled JPEG 2000 (J2K/JP2) content with OpenHTJ2K v0.18.4 or earlier - either by calling any decoder entry point (invoke, invoke_line_based, invoke_line_based_stream, invoke_line_based_predecoded) or by running a JPIP server that loads the crafted codestream at startup via PacketLocator::build. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N, C:H/I:H/A:H, base 9.8) implies trivial remote unauthenticated compromise, which holds for the JPIP server path where the codestream is loaded at startup/without user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malformed JPEG 2000 codestream containing an SOT marker whose Isot tile index exceeds the actual tile count, then delivers it to a target running a JPIP server (loaded at startup, no user interaction) or to any application that decodes the file with OpenHTJ2K. Because AC is low, the malformed index passes unchecked into add_tile_part(), producing a heap out-of-bounds read/write; against a JPIP server the attacker can retrieve leaked heap pointers through later tile-header data-bin responses. …
Remediation Vendor-released patch: v0.18.5 - upgrade to OpenHTJ2K v0.18.5 or later (release https://github.com/osamu620/OpenHTJ2K/releases/tag/v0.18.5, fix in PR https://github.com/osamu620/OpenHTJ2K/pull/320), which adds a bounds check rejecting SOT tile indices where Isot >= numTiles and throws before any write through the offending pointer. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, inventory all systems running OpenHTJ2K v0.18.4 and earlier; disable or isolate JPEG 2000 decoding services, particularly JPIP servers, from untrusted network segments. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-51808 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy