PatchSiren

OpenHTJ2K CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

CRITICAL OpenHTJ2K CVE published 2026-07-14

CVE-2026-51807

A critical vulnerability exists in OpenHTJ2K versions 0.18.3 and earlier. The issue is a heap-based out-of-bounds write in the j2k_precinct_subband::parse_packet_header() function, which can be triggered by a crafted JPEG 2000 codestream containing malformed PPM packet headers. This vulnerability is due to missing bounds validation for the j2k_codeblock::pass_length[128] array, potentially leading to heap [truncated]