PatchSiren cyber security CVE debrief
CVE-2026-6192 uclouvain CVE debrief
CVE-2026-6192 is a locally exploitable integer overflow in uclouvain openjpeg up to 2.5.4, affecting opj_pi_initialise_encode in src/lib/openjp2/pi.c. The supplied CVE description says a public exploit may exist and recommends applying the referenced patch. Based on the provided CVSS vector, this is a low-impact issue that still deserves prompt remediation on systems that build, package, or embed openjpeg.
- Vendor
- uclouvain
- Product
- openjpeg
- CVSS
- LOW 1.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-13
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-04-13
- Advisory updated
- 2026-05-21
Who should care
Teams that ship or embed uclouvain openjpeg, especially maintainers of Linux distributions, media-processing pipelines, and any local desktop or server workloads that handle JPEG 2000 content. Security teams should also care if untrusted local users can run code on the same host.
Technical summary
The record describes an integer overflow in opj_pi_initialise_encode within openjpeg’s pi.c. The CVSS vector indicates local attack conditions (AV:L), low privileges required (PR:L), and no user interaction (UI:N). The likely impact is limited to availability in the supplied vector (VA:L), with the weakness mapping calling out CWE-189 and CWE-190. The source references a fix commit (839936aa33eb8899bbbd80fda02796bb65068951), along with an issue and pull request associated with the patch.
Defensive priority
Medium for environments that expose openjpeg to untrusted local code or ship affected builds; otherwise lower priority than remotely exploitable flaws because the attack is local and the supplied CVSS severity is LOW.
Recommended defensive actions
- Upgrade or backport the patch identified by commit 839936aa33eb8899bbbd80fda02796bb65068951.
- Check downstream packages and vendor forks for openjpeg versions at or below 2.5.4 and apply the fix where relevant.
- Prioritize remediation on multi-user systems, build hosts, and desktop environments where local code execution is plausible.
- Track distro/vendor advisories, including the referenced Debian LTS announcement, for packaged fixes and backports.
- If you maintain a product embedding openjpeg, rebuild and retest after patching to confirm the overflow is no longer reachable.
Evidence notes
The CVE description states that uclouvain openjpeg up to 2.5.4 is affected and that the issue impacts opj_pi_initialise_encode in src/lib/openjp2/pi.c. The supplied description also says the manipulation leads to integer overflow, the attack must be carried out locally, an exploit is publicly available and might be used, and a patch is suggested. The NVD metadata marks the vuln status as Deferred and provides references to the openjpeg repository, the fixing commit, an issue, a pull request, and a Debian LTS announcement. The CVSS vector in the supplied metadata shows AV:L/AC:L/PR:L/UI:N with low availability impact.
Official resources
Publicly disclosed on 2026-04-13, with the source metadata later modified on 2026-05-21. The supplied description indicates a public exploit may already be available.