CVE-2026-6192

NameCVE-2026-6192
DescriptionA vulnerability was identified in uclouvain openjpeg up to 2.5.4. This impacts the function opj_pi_initialise_encode in the library src/lib/openjp2/pi.c. The manipulation leads to integer overflow. The attack must be carried out locally. The exploit is publicly available and might be used. The identifier of the patch is 839936aa33eb8899bbbd80fda02796bb65068951. It is suggested to install a patch to address this issue.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1133832

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
openjpeg2 (PTS)bullseye2.4.0-3vulnerable
bullseye (security)2.4.0-3+deb11u2vulnerable
bookworm2.5.0-2+deb12u2vulnerable
bookworm (security)2.5.0-2+deb12u1vulnerable
trixie2.5.3-2.1~deb13u1vulnerable
forky, sid2.5.4-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
openjpeg2source(unstable)(unfixed)1133832

Notes

https://github.com/uclouvain/openjpeg/issues/1619
https://github.com/uclouvain/openjpeg/pull/1628
Fixed by: https://github.com/uclouvain/openjpeg/commit/839936aa33eb8899bbbd80fda02796bb65068951
Search for package or bug name: Reporting problems