CVE-2026-38076
Artifex · jbig2dec
An integer overflow in the jbig2_arith_iaid_ctx_new() function of Artifex jbig2dec allows unauthenticated attackers to trigger a Denial of Service (DoS) via crafted input.
Executive summary
An integer overflow vulnerability in Artifex jbig2dec poses a high risk of service disruption due to potential Denial of Service attacks.
Vulnerability
The vulnerability is an integer overflow in the jbig2_arith_iaid_ctx_new() function. This flaw allows an unauthenticated, remote attacker to cause a crash or Denial of Service by supplying a specially crafted input file.
Business impact
Successful exploitation of this vulnerability results in a Denial of Service, which can disrupt critical business operations reliant on the jbig2dec library for image processing. Given the CVSS score of 7.5, this high-severity flaw requires prompt attention to ensure system availability and stability, particularly in environments where image parsing is automated or public-facing.
Remediation
Immediate Action: Update the jbig2dec software to include the fix provided in commit cc37d0931aa71582f7128736a068c92cd8712d9b or ensure the library is updated to the latest stable release incorporating this patch.
Proactive Monitoring: Monitor system logs for repeated service crashes or process terminations associated with the jbig2dec library, which may indicate attempted exploitation.
Compensating Controls: Implement file size and type validation at the application ingestion layer to block malformed or suspicious JBIG2 files before they are processed by the vulnerable library.
Exploitation status
Public Exploit Available: No (There is no confirmed public exploit available in the provided data).
Analyst recommendation
While there is currently no evidence of active exploitation, the accessibility of this vulnerability—combined with the ease of triggering a crash—warrants immediate remediation. Organizations using jbig2dec should prioritize updating to the patched commit to prevent service disruption caused by malicious or malformed image inputs.