CVE-2016-8882 Jasper Project CVE debrief

Who should care

Administrators, package maintainers, and application teams that ship or embed JasPer and process untrusted image files, especially JPEG-2000 content.

Technical summary

The vulnerability is a NULL pointer dereference in jpc_dec_tilefini during decoder tile cleanup. The supplied CVE description says a crafted file can trigger the crash remotely, while NVD’s CVSS vector describes local access with user interaction required. The affected version range in the record is JasPer before 1.900.8.

Defensive priority

Medium. This is an availability-only issue, but it can still disrupt services that parse untrusted files. Prioritize patching where JasPer is exposed to external content or used in automated processing pipelines.

Recommended defensive actions

• Upgrade JasPer to 1.900.8 or later.
• Inventory systems and applications that bundle or depend on JasPer.
• Treat untrusted JPEG-2000 files as risky input and restrict where they can be processed.
• Rebuild downstream packages after upgrading the library.
• If immediate upgrading is not possible, reduce exposure by limiting file ingestion paths to trusted sources only.

Evidence notes

Based on the supplied CVE description, the vulnerable function is jpc_dec_tilefini in libjasper/jpc/jpc_dec.c, with a NULL pointer dereference and crash triggered by a crafted file. The supplied NVD data lists JasPer versions up to 1.900.7 as vulnerable and classifies the issue as CWE-476. The CVSS vector is CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. No KEV entry or ransomware association is present in the supplied corpus.

Official resources