Errata ALT-PU-2024-3037-2: Information
Fixes
Published: Sept. 13, 2024
Modified: March 4, 2026
Modified: March 4, 2026
BDU:2024-06926
Уязвимость компонента color.c функции sycc420_to_rgb библиотеки для кодирования и декодирования изображений OpenJPEG, связанная с записью за границами буфера, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании
Severity: HIGH (7.8)
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Severity: MEDIUM (6.8)
Vector: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P
Links:
Published: Oct. 23, 2024
Modified: Sept. 24, 2025
Modified: Sept. 24, 2025
BDU:2024-08389
Уязвимость библиотеки для кодирования и декодирования изображений OpenJPEG, связанная с неконтролируемым потреблением ресурсов, позволяющая нарушителю вызвать отказ в обслуживании
Severity: MEDIUM (5.5)
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Severity: MEDIUM (4.9)
Vector: CVSS:2.0/AV:L/AC:L/Au:N/C:N/I:N/A:C
Links:
Published: Sept. 8, 2025
Modified: March 11, 2026
Modified: March 11, 2026
BDU:2025-10831
Уязвимость библиотеки для кодирования и декодирования изображений OpenJPEG, связанная с разыменованием нулевого указателя, позволяющая нарушителю вызвать отказ в обслуживании
Severity: MEDIUM (6.5)
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Severity: MEDIUM (6.4)
Vector: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:N
Links:
Published: Oct. 6, 2025
Modified: March 4, 2026
Modified: March 4, 2026
BDU:2025-12484
Уязвимость компонента t2.c библиотеки для кодирования и декодирования изображений OpenJPEG, позволяющая нарушителю вызвать отказ в обслуживании
Severity: MEDIUM (4.3)
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Severity: MEDIUM (5.0)
Vector: CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P
Links:
Published: March 4, 2022
Modified: Nov. 3, 2025
Modified: Nov. 3, 2025
CVE-2021-3575
A heap-based buffer overflow was found in openjpeg in color.c:379:42 in sycc420_to_rgb when decompressing a crafted .j2k file. An attacker could use this to execute arbitrary code with the permissions of the application compiled against openjpeg.
Severity: HIGH (7.8)
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Severity: MEDIUM (6.8)
Vector: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P
Links:
- https://bugzilla.redhat.com/show_bug.cgi?id=1957616
- https://github.com/uclouvain/openjpeg/issues/1347
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EZ54FGM2IGAP4AWSJ22JKHOPHCR3FGYU/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QB6AI7CWXWMEDZIQY4LQ6DMIEXMDOHUP/
- https://ubuntu.com/security/CVE-2021-3575
- https://lists.debian.org/debian-lts-announce/2025/04/msg00002.html
Published: July 13, 2024
Modified: March 9, 2026
Modified: March 9, 2026
CVE-2023-39327
A flaw was found in OpenJPEG. Maliciously constructed pictures can cause the program to enter a large loop and continuously print warning messages on the terminal.
Severity: MEDIUM (4.3)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Links:
Published: July 9, 2024
Modified: Aug. 18, 2025
Modified: Aug. 18, 2025
CVE-2023-39328
A vulnerability was found in OpenJPEG similar to CVE-2019-6988. This flaw allows an attacker to bypass existing protections and cause an application crash through a maliciously crafted file.
Severity: MEDIUM (5.5)
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Links:
Published: July 13, 2024
Modified: March 9, 2026
Modified: March 9, 2026
CVE-2023-39329
A flaw was found in OpenJPEG. A resource exhaustion can occur in the opj_t1_decode_cblks function in tcd.c through a crafted image file, causing a denial of service.
Severity: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Links:
Published: Aug. 7, 2025
Modified: Dec. 29, 2025
Modified: Dec. 29, 2025
CVE-2025-50952
openjpeg v 2.5.0 was discovered to contain a NULL pointer dereference via the component /openjp2/dwt.c.
Severity: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Links: