CRITICAL
OpenHTJ2K
CVE published 2026-07-14
CVE-2026-51807
A critical vulnerability exists in OpenHTJ2K versions 0.18.3 and earlier. The issue is a heap-based out-of-bounds write in the j2k_precinct_subband::parse_packet_header() function, which can be triggered by a crafted JPEG 2000 codestream containing malformed PPM packet headers. This vulnerability is due to missing bounds validation for the j2k_codeblock::pass_length[128] array, potentially leading to heap [truncated]