PatchSiren cyber security CVE debrief
CVE-2026-1837 Libjxl Project CVE debrief
CVE-2026-1837 is a high severity vulnerability in libjxl, a library for image compression and decompression. The vulnerability allows for a specially-crafted file to cause libjxl's decoder to write pixel data to uninitialized unallocated memory. This can be done by requesting color transformation of grayscale images to another grayscale color space. The vulnerability has a CVSS score of 8.7 and is considered high severity. The vulnerability was published on February 11, 2026, and last modified on June 30, 2026.
- Vendor
- Libjxl Project
- Product
- Libjxl
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-11
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-02-11
- Advisory updated
- 2026-06-30
Who should care
Developers and users of libjxl library should be aware of this vulnerability and take necessary steps to mitigate it. The vulnerability can be exploited by a specially-crafted file, and the exploitability is high. The vulnerability affects libjxl versions from 0.9.0 to 0.11.1.
Technical summary
The vulnerability is caused by a specially-crafted file that can cause libjxl's decoder to write pixel data to uninitialized unallocated memory. This can be done by requesting color transformation of grayscale images to another grayscale color space. The vulnerability is due to the use of buffers allocated for 1-float-per-pixel as if they are allocated for 3-float-per-pixel when LCMS2 is used as CMS engine. There is another CMS engine available, selected by build flags.
Defensive priority
High priority should be given to patching this vulnerability as it has a high CVSS score and can be exploited by a specially-crafted file.
Recommended defensive actions
- Patch libjxl to version 0.11.2 or later
- Use a different CMS engine
- Validate and sanitize image files before processing
- Monitor for suspicious activity
- Implement compensating controls
Evidence notes
The vulnerability was published on February 11, 2026, and last modified on June 30, 2026. The CVSS score is 8.7, and the severity is high. The vulnerability affects libjxl versions from 0.9.0 to 0.11.1.
Official resources
-
CVE-2026-1837 CVE record
CVE.org
-
CVE-2026-1837 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Issue Tracking, Patch
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.