CVE-2026-51808

OpenHTJ2K · OpenHTJ2K

A buffer overflow vulnerability in OpenHTJ2K allows remote attackers to execute arbitrary code via multiple decoder functions.

Executive summary

The OpenHTJ2K library contains a critical buffer overflow vulnerability that could allow an unauthenticated attacker to execute arbitrary code on the host system.

Vulnerability

The vulnerability exists within the openhtj2k_decoder_impl::invoke, invoke_line_based, invoke_line_based_stream, and invoke_line_based_predecoded functions. It is a buffer overflow condition that can be triggered by providing malicious input to the decoder, potentially leading to arbitrary code execution.

Business impact

With a CVSS score of 9.8, this vulnerability is classified as critical. Successful exploitation allows for full system compromise, including the execution of arbitrary code, which can lead to data theft, system downtime, and complete loss of control over the affected application.

Remediation

Immediate Action: Update the OpenHTJ2K library to version v0.18.5 or later.

Proactive Monitoring: Monitor application performance and logs for crashes or unexpected execution patterns that may indicate attempts to exploit memory corruption vulnerabilities.

Compensating Controls: Use application sandboxing or memory protection features to limit the impact of code execution if an immediate update is not feasible.

Exploitation status

Public Exploit Available: No

Analyst recommendation

Given the critical CVSS score and the existence of a proof-of-concept, users of the OpenHTJ2K library must treat this as a high-priority remediation task. Updating to version v0.18.5 is the only effective way to mitigate this risk.