Description
A specially-crafted file can cause libjxl's decoder to write pixel data to uninitialized unallocated memory. Soon after that data from another uninitialized unallocated region is copied to pixel data.

This can be done by requesting color transformation of grayscale images to another grayscale color space. Buffers allocated for 1-float-per-pixel are used as if they are allocated for 3-float-per-pixel. That happens only if LCMS2 is used as CMS engine. There is another CMS engine available (selected by build flags).
Published: 2026-02-11
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Memory corruption
Action: Immediate Patch
AI Analysis

Impact

A specially crafted JXL image can trigger an out‑of‑bounds write in libjxl’s decoder when the library requests a grayscale color transformation via the LCMS2 color management engine. The decoder incorrectly treats buffers sized for one float per pixel as if they hold three floats, writing past the allocated memory and then copying data from another uninitialised region into the pixel data. This corrupts memory and can cause crashes or provide an attacker with the ability to influence processor state if additional exploitation conditions are met.

Affected Systems

Affecting Google's libjxl library, particularly builds that use the LCMS2 engine as the CMS component. No specific affected versions are listed; any release compiled with the default LCMS2 engine may be vulnerable. Versions compiled with an alternative CMS engine are not impacted.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.7, indicating high severity. Its EPSS score is below 1%, implying a low probability of widespread exploitation, and it is not listed in the CISA KEV catalog. Exploitation requires feeding a malicious JXL file to a system using libjxl with LCMS2; the likely attack vector is local or file‑based, though if the library processes network data, remote exploitation becomes possible. The memory corruption could lead to a crash or, if the attacker controls the uninitialised memory, arbitrary code execution.

Generated by OpenCVE AI on April 17, 2026 at 20:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade libjxl to the latest release that includes the fix for the out-of-bounds write.
  • Recompile libjxl with a different CMS engine (e.g., disable LCMS2) by adjusting build flags to avoid the vulnerable path.
  • Implement strict validation of JXL files, rejecting or sanitising grayscale images that specify a grayscale-to‑grayscale color transformation before delegating to libjxl.

Generated by OpenCVE AI on April 17, 2026 at 20:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-8146-1 libjxl vulnerability
History

Tue, 14 Apr 2026 01:00:00 +0000

Type Values Removed Values Added
First Time appeared Libjxl Project
Libjxl Project libjxl
Weaknesses CWE-770
CPEs cpe:2.3:a:libjxl_project:libjxl:*:*:*:*:*:*:*:*
Vendors & Products Libjxl Project
Libjxl Project libjxl
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Thu, 26 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 12 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
References
Metrics threat_severity

None

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

threat_severity

Important

Wed, 11 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google libjxl
Vendors & Products Google
Google libjxl

Wed, 11 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Feb 2026 15:45:00 +0000

Type Values Removed Values Added
Description A specially-crafted file can cause libjxl's decoder to write pixel data to uninitialized unallocated memory. Soon after that data from another uninitialized unallocated region is copied to pixel data. This can be done by requesting color transformation of grayscale images to another grayscale color space. Buffers allocated for 1-float-per-pixel are used as if they are allocated for 3-float-per-pixel. That happens only if LCMS2 is used as CMS engine. There is another CMS engine available (selected by build flags).
Title libjxl: Out-of-bounds write in grayscale color transformation when using LCMS2
Weaknesses CWE-805
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Google Libjxl
Libjxl Project Libjxl
cve-icon MITRE

Status: PUBLISHED

Assigner: Google

Published:

Updated: 2026-02-26T14:44:25.072Z

Reserved: 2026-02-03T16:27:32.730Z

Link: CVE-2026-1837

cve-icon Vulnrichment

Updated: 2026-02-11T20:01:25.375Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-11T16:16:04.697

Modified: 2026-04-14T00:51:40.663

Link: CVE-2026-1837

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-11T15:19:55Z

Links: CVE-2026-1837 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:30:15Z

Weaknesses