PatchSiren cyber security CVE debrief

CVE-2016-8883 Jasper Project CVE debrief

CVE-2016-8883 is a denial-of-service vulnerability in JasPer's JPEG-2000 decoder. According to the CVE record, jpc_dec_tiledecode in jpc_dec.c can hit an assertion failure when processing a crafted file, affecting JasPer versions before 1.900.8. The issue is rated medium severity in NVD, with availability impact only and no evidence in the provided corpus of code execution, data loss, or public weaponization.

Vendor: Jasper Project
Product: CVE-2016-8883
CVSS: MEDIUM 5.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-13
Original CVE updated: 2026-05-13
Advisory published: 2017-01-13
Advisory updated: 2026-05-13

Who should care

Organizations that deploy JasPer to parse or transcode untrusted JPEG-2000 content should care most, especially teams responsible for application servers, document/image pipelines, security gateways, and desktop software that may open user-supplied files. Package maintainers and downstream distributors should also verify whether they ship a vulnerable JasPer release.

Technical summary

NVD lists the affected product as jasper_project:jasper with vulnerable versions ending at 1.900.7. The reported flaw is an assertion failure in jpc_dec_tiledecode within jpc_dec.c, reachable through a crafted input file. The published CVSS vector is CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, which indicates a user-assisted availability issue. The CVE description states remote attackers can trigger the denial of service via crafted file input, so defenders should treat any workflow that processes attacker-controlled files as exposed.

Defensive priority

Medium. This is not listed in KEV in the supplied corpus and the available evidence points to denial of service rather than deeper compromise, but any crash in a file parser can still disrupt services that accept untrusted content.

Recommended defensive actions

Upgrade JasPer to 1.900.8 or later in all supported environments.
Inventory applications, libraries, and appliances that embed or depend on JasPer and confirm the shipped version.
Prioritize fixes for any service that processes user-uploaded or otherwise untrusted image files.
Review crash handling and isolation around image parsing workflows so a parser failure does not take down the entire service.
Verify downstream vendor advisories and packages, including Red Hat and Ubuntu updates referenced in the source corpus, for the appropriate fixed builds.

Evidence notes

The CVE description states that jpc_dec_tiledecode in jpc_dec.c is vulnerable to an assertion failure denial of service via a crafted file, and the NVD CPE criteria restrict affected versions to JasPer 1.900.7 and earlier. The source corpus also includes a patch-related GitHub issue and downstream advisories from Red Hat and Ubuntu. One notable detail is that the NVD CVSS vector uses AV:L and UI:R even though the description says remote attackers can cause the issue; defenders should interpret exposure based on whether untrusted files are processed in a user-assisted context.

Official resources

CVE-2016-8883 CVE record
CVE.org
CVE-2016-8883 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Source reference
[email protected]
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch, Third Party Advisory
Source reference
[email protected]

Published by CVE/NVD on 2017-01-13; NVD last modified on 2026-05-13. No KEV entry is recorded in the supplied timeline.