Description
A vulnerability was identified in uclouvain openjpeg up to 2.5.4. This impacts the function opj_pi_initialise_encode in the library src/lib/openjp2/pi.c. The manipulation leads to integer overflow. The attack must be carried out locally. The exploit is publicly available and might be used. The identifier of the patch is 839936aa33eb8899bbbd80fda02796bb65068951. It is suggested to install a patch to address this issue.
Published: 2026-04-13
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local Integer Overflow in OpenJPEG
Action: Patching
AI Analysis

Impact

A flaw was discovered in the OpenJPEG library in the function that initializes the compression pipeline. A crafted input can trigger an integer overflow during the encoding process, potentially corrupting memory or causing a crash. The weakness corresponds to improper handling of size values, a classic integer overflow scenario. While the description does not explicitly state a code execution vector, such overflow could lead to arbitrary code execution if the attacker can manipulate the data fed to the library.

Affected Systems

The vulnerability affects the OpenJPEG library from the University of Lille (uClouvain) through version 2.5.4. The issue resides in the source file src/lib/openjp2/pi.c and is mitigated in later releases.

Risk and Exploitability

The CVSS score for this flaw is 4.8, indicating low to medium severity. No EPSS data is available, and the vulnerability is not listed as a known exploited vulnerability by CISA. Attackers must have local access to supply the crafted data; remote exploitation is unlikely. However, the publicly available exploit code suggests that once a user runs OpenJPEG on untrusted data locally, the integer overflow could be triggered.

Generated by OpenCVE AI on April 13, 2026 at 18:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify the OpenJPEG version in use; versions up to 2.5.4 are affected.
  • Apply the patch identified by commit 839936aa33eb8899bbbd80fda02796bb65068951, which resolves the integer overflow.
  • Rebuild or reinstall the library after patching to ensure the changes take effect.
  • Confirm that the patched version is published and verify checksum or signature if available.

Generated by OpenCVE AI on April 13, 2026 at 18:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Low

Tue, 14 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in uclouvain openjpeg up to 2.5.4. This impacts the function opj_pi_initialise_encode in the library src/lib/openjp2/pi.c. The manipulation leads to integer overflow. The attack must be carried out locally. The exploit is publicly available and might be used. The identifier of the patch is 839936aa33eb8899bbbd80fda02796bb65068951. It is suggested to install a patch to address this issue.
Title uclouvain openjpeg pi.c opj_pi_initialise_encode integer overflow
First Time appeared Uclouvain
Uclouvain openjpeg
Weaknesses CWE-189
CWE-190
CPEs cpe:2.3:a:uclouvain:openjpeg:*:*:*:*:*:*:*:*
Vendors & Products Uclouvain
Uclouvain openjpeg
References
Metrics cvssV2_0

{'score': 1.7, 'vector': 'AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 3.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Uclouvain Openjpeg
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-14T13:56:25.079Z

Reserved: 2026-04-13T08:41:16.591Z

Link: CVE-2026-6192

cve-icon Vulnrichment

Updated: 2026-04-14T13:56:20.488Z

cve-icon NVD

Status : Deferred

Published: 2026-04-13T17:16:32.333

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-6192

cve-icon Redhat

Severity : Low

Publid Date: 2026-04-13T16:45:11Z

Links: CVE-2026-6192 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:33:55Z

Weaknesses