CVE-2026-1837

A specially-crafted file can cause libjxl's decoder to write pixel data to uninitialized unallocated memory. Soon after that data from another uninitialized unallocated region is copied to pixel data. This can be done by requesting color transformation of grayscale images to another grayscale color space. Buffers allocated for 1-float-per-pixel are used as if they are allocated for 3-float-per-pixel. That happens only if LCMS2 is used as CMS engine. There is another CMS engine available (selected by build flags).

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/libjxl/libjxl/issues/4549	Exploit Issue Tracking Patch
https://github.com/libjxl/libjxl/issues/4549	Exploit Issue Tracking Patch

Configurations

Configuration 1 (hide)

cpe:2.3:a:libjxl_project:libjxl:*:*:*:*:*:*:*:*

History

14 Apr 2026, 00:51

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
References	~~() https://github.com/libjxl/libjxl/issues/4549 -~~	() https://github.com/libjxl/libjxl/issues/4549 - Exploit, Issue Tracking, Patch
First Time		Libjxl Project libjxl Libjxl Project
Summary		(es) Un archivo especialmente diseñado puede provocar que el decodificador de libjxl escriba datos de píxeles en memoria no asignada no inicializada. Poco después, datos de otra región no asignada no inicializada se copian a los datos de píxeles. Esto puede hacerse al solicitar una transformación de color de imágenes en escala de grises a otro espacio de color en escala de grises. Búferes asignados para 1 flotante por píxel se utilizan como si estuvieran asignados para 3 flotantes por píxel. Esto ocurre solo si se utiliza LCMS2 como motor CMS. Hay otro motor CMS disponible (seleccionado mediante indicadores de compilación).
CPE		cpe:2.3:a:libjxl_project:libjxl::::::::
CWE		CWE-770

11 Feb 2026, 20:16

Type	Values Removed	Values Added
References	~~() https://github.com/libjxl/libjxl/issues/4549 -~~	() https://github.com/libjxl/libjxl/issues/4549 -

11 Feb 2026, 16:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-11 16:16

Updated : 2026-04-14 00:51

NVD link : CVE-2026-1837

Mitre link : CVE-2026-1837

CVE.ORG link : CVE-2026-1837

JSON object : View

Products Affected

libjxl_project

libjxl

CWE

CWE-805

Buffer Access with Incorrect Length Value

CWE-770

Allocation of Resources Without Limits or Throttling

7.5 /10