Buffer Access with Incorrect Length Value

CVE-2026-1837

High

8.7/10

Summary

A specially-crafted file can cause libjxl's decoder to write pixel data to uninitialized unallocated memory. Soon after that data from another uninitialized unallocated region is copied to pixel data. This can be done by requesting color transformation of grayscale images to another grayscale color space. Buffers allocated for 1-float-per-pixel are used as if they are allocated for 3-float-per-pixel. That happens only if LCMS2 is used as CMS engine. There is another CMS engine available (selected by build flags).

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: NONE
Availability Impact: HIGH

CWE-805 - Buffer Access with Incorrect Length Value

The software uses a sequential operation to read or write a buffer, but it uses an incorrect length value that causes it to access memory that is outside of the bounds of the buffer.

References

Advisory Timeline

Published Feb 11, 2026

Buffer Access with Incorrect Length Value

CVE-2026-1837

Summary

CWE-805 - Buffer Access with Incorrect Length Value

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS