PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-51807 OpenHTJ2K CVE debrief

A critical vulnerability exists in OpenHTJ2K versions 0.18.3 and earlier. The issue is a heap-based out-of-bounds write in the j2k_precinct_subband::parse_packet_header() function, which can be triggered by a crafted JPEG 2000 codestream containing malformed PPM packet headers. This vulnerability is due to missing bounds validation for the j2k_codeblock::pass_length[128] array, potentially leading to heap corruption and process termination. Developers and maintainers should prioritize patching to version 0.18.4 or later.

Vendor
OpenHTJ2K
Product
OpenHTJ2K
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-14
Original CVE updated
2026-07-17
Advisory published
2026-07-14
Advisory updated
2026-07-17

Who should care

This vulnerability affects users of OpenHTJ2K versions 0.18.3 and earlier. Developers and maintainers of systems or applications that utilize OpenHTJ2K for JPEG 2000 processing should prioritize patching to version 0.18.4 or later. Security teams should review compensating controls and monitor for potential exploitation attempts.

Technical summary

The vulnerability is caused by a lack of bounds validation before writing coding-pass lengths to j2k_codeblock::pass_length[128]. A specially crafted JPEG 2000 codestream with malformed PPM packet headers can trigger a heap-based out-of-bounds write in the j2k_precinct_subband::parse_packet_header() function. This can lead to heap corruption and potentially cause process termination. The issue was fixed in OpenHTJ2K version 0.18.4. Users should review input validation and sanitization practices.

Defensive priority

Highest for OpenHTJ2K users given the critical severity and potential for heap corruption. Immediate patching to version 0.18.4 or later is advised. Additional monitoring and compensating controls should be considered for exposed systems during remediation planning and verification phases. Input validation and sanitization should be reviewed and enhanced if necessary. Asset inventory and rollback/change window planning are also recommended to ensure timely and effective mitigation of this vulnerability across the organization. Tracking exceptions and retesting remediated assets is crucial before closing this item, ensuring evidence of successful mitigation is documented and verified through testing and monitoring processes. This approach ensures that the vulnerability is properly managed and reduces the risk of exploitation in the environment.

Recommended defensive actions

  • Immediately update OpenHTJ2K to version 0.18.4 or later
  • Review and validate input JPEG 2000 codestreams for potential malformations
  • Implement additional monitoring for potential exploitation attempts
  • Consider compensating controls such as input validation and sanitization
  • Perform asset inventory to identify exposed systems
  • Plan and execute rollback/change windows for remediation
  • Track exceptions and retest remediated assets

Evidence notes

The CVE record was published on 2026-07-14T23:17:29.843Z and was last modified on 2026-07-17T16:17:15.513Z. The NVD entry is currently Deferred. The vulnerability has a CVSS score of 9.8 and is classified as CRITICAL. Evidence is limited to CVE and NVD details. Defenders should verify OpenHTJ2K usage and review vendor advisories for patching guidance.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-14T23:17:29.843Z and has not been modified since then. The NVD entry is currently Deferred.