CVE-2026-1837

Source
https://cve.org/CVERecord?id=CVE-2026-1837
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-1837.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-1837
Downstream
Related
Published
2026-02-11T15:19:55.442Z
Modified
2026-07-16T03:31:06.748618125Z
Severity
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
libjxl: Out-of-bounds write in grayscale color transformation when using LCMS2
Details

A specially-crafted file can cause libjxl's decoder to write pixel data to uninitialized unallocated memory. Soon after that data from another uninitialized unallocated region is copied to pixel data.

This can be done by requesting color transformation of grayscale images to another grayscale color space. Buffers allocated for 1-float-per-pixel are used as if they are allocated for 3-float-per-pixel. That happens only if LCMS2 is used as CMS engine. There is another CMS engine available (selected by build flags).

Database specific
{
    "cna_assigner": "Google",
    "cwe_ids": [
        "CWE-805"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/1xxx/CVE-2026-1837.json"
}
References

Affected packages

Git / github.com/libjxl/libjxl

Affected ranges

Type
GIT
Repo
https://github.com/libjxl/libjxl
Events
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ],
    "cpe": "cpe:2.3:a:libjxl_project:libjxl:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0.9"
        },
        {
            "last_affected": "0.11.1"
        },
        {
            "introduced": "0.9.0"
        }
    ]
}

Affected versions

v0.*
v0.10-snapshot
v0.11.0
v0.11.1
v0.9-snapshot

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-1837.json"