Vulnerability CVE-2021-3575: Information

Description

A heap-based buffer overflow was found in openjpeg in color.c:379:42 in sycc420_to_rgb when decompressing a crafted .j2k file. An attacker could use this to execute arbitrary code with the permissions of the application compiled against openjpeg.

Severity: HIGH (7.8)

Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Severity: MEDIUM (6.8)

Vector: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P

URL: https://nvd.nist.gov/vuln/detail/CVE-2021-3575

Published: March 4, 2022

Modified: Nov. 3, 2025

Error type identifier: CWE-787

Fixed packages

Package name	Branch	Fixed in version	Version from repository	Errata ID	Task #	State
libopenjpeg2.0	sisyphus	2.5.1-alt1	2.5.4-alt1	ALT-PU-2024-3037-2	341475	Fixed
libopenjpeg2.0	sisyphus_e2k	2.5.0-alt1	2.5.4-alt1	ALT-PU-2022-4997-1	-	Fixed
libopenjpeg2.0	sisyphus_riscv64	2.5.0-alt1	2.5.4-alt1	ALT-PU-2022-4954-1	-	Fixed
libopenjpeg2.0	sisyphus_loongarch64	2.5.1-alt1.1	2.5.4-alt1	ALT-PU-2024-3141-1	-	Fixed
libopenjpeg2.0	p11	2.5.1-alt1	2.5.4-alt1	ALT-PU-2024-3037-2	341475	Fixed
libopenjpeg2.0	p10	2.5.0-alt1	2.5.0-alt1	ALT-PU-2022-1892-1	300002	Fixed
libopenjpeg2.0	p10_e2k	2.5.0-alt1	2.5.0-alt1	ALT-PU-2022-4992-1	-	Fixed
libopenjpeg2.0	c10f2	2.5.3-alt1	2.5.4-alt1	ALT-PU-2025-10918-3	393308	Fixed

References to Advisories, Solutions, and Tools

Hyperlink	Resource
https://bugzilla.redhat.com/show_bug.cgi?id=1957616	Issue Tracking Third Party Advisory
https://github.com/uclouvain/openjpeg/issues/1347	Exploit Issue Tracking Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EZ54FGM2IGAP4AWSJ22JKHOPHCR3FGYU/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QB6AI7CWXWMEDZIQY4LQ6DMIEXMDOHUP/
https://ubuntu.com/security/CVE-2021-3575	Third Party Advisory
https://lists.debian.org/debian-lts-announce/2025/04/msg00002.html
BDU:2024-06926

Affected configurations:
1. cpe:2.3:a:uclouvain:openjpeg:*:*:*:*:*:*:*:*
  End including
  2.4.0
  cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
  cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
  cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*

Version: v26.2.2