2438974 – (CVE-2026-1837) CVE-2026-1837 libjxl: libjxl: Out-of-bounds write in grayscale color transformation when using LCMS2

Bug 2438974 (CVE-2026-1837) - CVE-2026-1837 libjxl: libjxl: Out-of-bounds write in grayscale color transformation when using LCMS2

Summary: CVE-2026-1837 libjxl: libjxl: Out-of-bounds write in grayscale color transfor...

Keywords:
Status:	NEW
Alias:	CVE-2026-1837
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-02-11 16:01 UTC by OSIDB Bzimport
Modified:	2026-02-11 18:42 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-02-11 16:01:53 UTC

A specially-crafted file can cause libjxl's decoder to write pixel data to uninitialized unallocated memory. Soon after that data from another uninitialized unallocated region is copied to pixel data.

This can be done by requesting color transformation of grayscale images to another grayscale color space. Buffers allocated for 1-float-per-pixel are used as if they are allocated for 3-float-per-pixel. That happens only if LCMS2 is used as CMS engine. There is another CMS engine available (selected by build flags).

Note You need to log in before you can comment on or make changes to this bug.