PatchSiren cyber security CVE debrief

CVE-2016-4796 Fedoraproject CVE debrief

CVE-2016-4796 describes a heap-based buffer overflow in OpenJPEG’s color_cmyk_to_rgb path. A crafted .j2k file can trigger a crash, making this a denial-of-service issue for software that parses JPEG 2000 content. NVD rates it CVSS 5.5 (MEDIUM).

Vendor: Fedoraproject
Product: CVE-2016-4796
CVSS: MEDIUM 5.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-03
Original CVE updated: 2026-05-13
Advisory published: 2017-02-03
Advisory updated: 2026-05-13

Who should care

Teams running OpenJPEG directly, or applications and services that ingest untrusted .j2k / JPEG 2000 files, should care most. Fedora package maintainers and operators of Fedora 23/24 systems are also relevant because those CPEs are listed as vulnerable in the NVD record.

Technical summary

The NVD record states that color_cmyk_to_rgb in common/color.c in OpenJPEG before 2.1.1 contains a heap-based buffer overflow. The primary impact is availability: a crafted .j2k file can cause the application to crash. NVD’s CVSS v3.0 vector is AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, and the listed weakness is CWE-119. The record also includes Fedora 23 and Fedora 24 CPEs as vulnerable targets.

Defensive priority

Medium. This is a denial-of-service vulnerability rather than a code-execution finding in the supplied record, but it affects file parsing paths that may be exposed to untrusted input. Prioritize if OpenJPEG is used in user-facing upload, preview, conversion, or batch-processing workflows.

Recommended defensive actions

Upgrade OpenJPEG to version 2.1.1 or later, as the vulnerability is listed for versions before 2.1.1.
If you ship or depend on Fedora packages, verify whether your Fedora 23/24 builds already include the vendor fix or backported patch.
Treat .j2k and other JPEG 2000 files as untrusted input and consider isolating parsing/conversion workloads.
Review any application paths that automatically open or preview JPEG 2000 content, especially where a crash would impact service availability.
Track downstream advisories and package announcements referenced in the CVE record for distribution-specific remediation guidance.

Evidence notes

The debrief is based on the NVD CVE record and the linked patch/advisory references supplied in the corpus. The record explicitly names OpenJPEG before 2.1.1, the vulnerable function color_cmyk_to_rgb in common/color.c, and a crafted .j2k file as the trigger. The NVD CVSS vector indicates AV:L/UI:R, while the prose description says remote attackers; this discrepancy is preserved as a record-quality note rather than resolved beyond the supplied sources.

Official resources

CVE-2016-4796 CVE record
CVE.org
CVE-2016-4796 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Mailing List, Patch, Third Party Advisory
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch, Third Party Advisory
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch
Source reference
[email protected]
Source reference
[email protected]
Source reference
[email protected]

The CVE was published on 2017-02-03. The supporting advisory and patch references in the supplied record date to 2016-05-13, which provides historical context for when the issue was discussed and fixed upstream/downstream. The CVE record is