CVE 8.7 HIGH

libjxl: Out-of-bounds write in grayscale color transformation when using LCMS2_CVE-2026-1837

February 11, 2026 invoker category_cve

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

A specially-crafted file can cause libjxl's decoder to write pixel data to uninitialized unallocated memory. Soon after that data from another uninitialized unallocated region is copied to pixel data.

This can be done by requesting color transformation of grayscale images to another grayscale color space. Buffers allocated for 1-float-per-pixel are used as if they are allocated for 3-float-per-pixel. That happens only if LCMS2 is used as CMS engine. There is another CMS engine available (selected by build flags).

AI Analysis

Out-of-bounds write in grayscale color transformation when using LCMS2

Basic Information

ID CVE-2026-1837

Source Google

Published Feb 11, 2026 at 15:19

Affected Product

Vendor Google

Product libjxl

Version 0.9

Affected Versions Google libjxl 0.9

CWE Classification

CWE-805

AI Assessment

AI Score 8.7 / 10

AI Severity High

Vendor Google

Product libjxl

Version 0.9

References

github.com /libjxl/libjxl/issues/4549

{
    "lastseen": "",
    "description": "A specially-crafted file can cause libjxl's decoder to write pixel data to uninitialized unallocated memory. Soon after that data from another uninitialized unallocated region is copied to pixel data.\n\nThis can be done by requesting color transformation of grayscale images to another grayscale color space. Buffers allocated for 1-float-per-pixel are used as if they are allocated for 3-float-per-pixel. That happens only if LCMS2 is used as CMS engine. There is another CMS engine available (selected by build flags).",
    "published": "2026-02-11T15:19:55.442Z",
    "modified": "2026-02-11T15:19:55.442Z",
    "type": "cve",
    "title": "libjxl: Out-of-bounds write in grayscale color transformation when using LCMS2",
    "source": "Google",
    "references": "https://github.com/libjxl/libjxl/issues/4549",
    "id": "CVE-2026-1837",
    "bulletinFamily": "",
    "cwe": [
        "CWE-805"
    ],
    "cvelist": null,
    "sourceData": "Google libjxl 0.9",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "libjxl",
    "version": "0.9",
    "vendor": "Google",
    "ai_description": "Out-of-bounds write in grayscale color transformation when using LCMS2",
    "ai_severity": "High",
    "ai_vendor": "Google",
    "ai_product": "libjxl",
    "ai_version": "0.9",
    "ai_score": 8.7
}

💭 Join the Security Discussion ❌ Cancel Reply