CVE-2026-51807
OpenHTJ2K · OpenHTJ2K
A buffer overflow vulnerability in OpenHTJ2K up to version 0.18.4 allows unauthenticated attackers to execute arbitrary code via a malicious JPEG 2000 file.
Executive summary
A critical buffer overflow vulnerability in OpenHTJ2K allows unauthenticated attackers to achieve remote code execution, posing a severe risk to system integrity and availability.
Vulnerability
This is a buffer overflow vulnerability located in the j2k_precinct_subband::parse_packet_header() function within the source code. The flaw is exploitable by an unauthenticated attacker who provides a specially crafted JPEG 2000 file for processing.
Business impact
The vulnerability carries a CVSS score of 9.8, indicating a critical severity level. Successful exploitation allows for arbitrary code execution, which can lead to full system compromise, the theft of sensitive data, or complete service disruption. Because the attack vector is network-based and requires no authentication, the potential for widespread impact across image processing pipelines is significant.
Remediation
Immediate Action: Upgrade OpenHTJ2K to version v0.18.5 or later immediately to incorporate the necessary security fixes.
Proactive Monitoring: Monitor system logs for unexpected application crashes or anomalous memory usage during image processing tasks, as these may indicate attempted exploitation.
Compensating Controls: Implement strict input validation or sandboxing for any services that process untrusted JPEG 2000 image files to restrict the impact of potential memory corruption.
Exploitation status
Public Exploit Available: No (there is no confirmed public exploit in the available data).
Analyst recommendation
Given the critical nature of this vulnerability and the potential for remote code execution, organizations should prioritize patching their OpenHTJ2K deployments. Updating to version v0.18.5 is the only effective way to remediate this buffer overflow flaw. Failure to apply this update leaves systems vulnerable to exploitation by any actor capable of delivering a malicious image file to the target service.