216.73.217.22

CVE-2026-1837

· Published 11/02/2026 16:16 · Modified 11/02/2026 20:16

Labels: CVE-2026-1837 2026-02-11CVE-2026-1837CWE-805[email protected]

Essential information

Published
11/02/2026 16:16
Modified
11/02/2026 20:16
Author
Creator
CVSS
8.7 HIGH (v3) 8.7 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

A specially-crafted file can cause libjxl's decoder to write pixel data to uninitialized unallocated memory. Soon after that data from another uninitialized unallocated region is copied to pixel data. This can be done by requesting color transformation of grayscale images to another grayscale color space. Buffers allocated for 1-float-per-pixel are used as if they are allocated for 3-float-per-pixel. That happens only if LCMS2 is used as CMS engine. There is another CMS engine available (selected by build flags).

NVD status

Status
Awaiting Analysis — CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
libjxl / libjxl cpe:2.3:a:libjxl:libjxl:*:*:*:*:*:*:*:*

References