PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-3183 Uclouvain CVE debrief

CVE-2016-3183 affects OpenJPEG versions before 2.1.1 and is caused by an out-of-bounds read in sycc422_t_rgb within common/color.c. NVD describes the impact as denial of service, with CWE-125 as the underlying weakness. The affected range in the NVD CPE data ends at 2.1.0, which aligns with the description that versions before 2.1.1 are vulnerable.

Vendor
Uclouvain
Product
CVE-2016-3183
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-03
Original CVE updated
2026-05-13
Advisory published
2017-02-03
Advisory updated
2026-05-13

Who should care

Teams that ship, embed, or operationally depend on OpenJPEG should care, especially products that accept untrusted JPEG 2000 files. This includes application developers, packaging and release engineers, and security teams responsible for image-processing services, document workflows, or media pipelines.

Technical summary

The vulnerable code path in OpenJPEG’s color conversion logic can read outside valid memory bounds when handling crafted JPEG 2000 input. The issue is cataloged by NVD as CWE-125 (out-of-bounds read) and assigned a medium severity score of 5.5. Public references point to an upstream fix commit and issue discussion, plus downstream packaging advisories.

Defensive priority

Medium priority. The flaw can be triggered by crafted input and may crash affected software, but the corpus does not indicate code execution or broader compromise. Remediation is still important wherever untrusted JPEG 2000 content is processed.

Recommended defensive actions

  • Upgrade OpenJPEG to a version newer than 2.1.0 / 2.1.1 or apply the upstream fix referenced in the advisory corpus.
  • Inventory applications and appliances that parse JPEG 2000 files and confirm whether they bundle OpenJPEG.
  • Treat user-supplied or externally sourced JPEG 2000 content as untrusted and test impacted workflows for crash resilience after upgrading.
  • If immediate patching is not possible, reduce exposure by limiting processing of untrusted JPEG 2000 files in high-risk services.
  • Validate vendor backports in downstream packages, since several packaging advisories reference fixes for this issue.

Evidence notes

All claims are grounded in the supplied NVD record and its cited references. The NVD description states an out-of-bounds read in sycc422_t_rgb in common/color.c and says OpenJPEG before 2.1.1 is affected. The NVD CPE criteria list vulnerable versions through 2.1.0. References include an upstream commit, an issue tracker entry, an oss-security mailing list post, Red Hat Bugzilla, and downstream advisories. The CVE record was published on 2017-02-03, while patch-related discussion appears in the 2016-03-16 mailing list reference.

Official resources

The CVE record was published on 2017-02-03. Patch-related references in the corpus date back to 2016-03-16, but that earlier reference date should not be treated as the CVE publication date.