{"uuid": "107e1a3c-415b-48d5-8473-1a371d7cdb6f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-51807", "type": "seen", "source": "https://gist.github.com/5asever40-a11y/dcfa867b099a7782ad72ab7981427765", "content": "# CVE-2026-51807\n\nHeap buffer overflow in OpenHTJ2K PPM packet header parsing\nallows heap out-of-bounds write via a crafted J2K/JP2 codestream\nor malicious JPIP/JPP response.\n\n------------------------------------------\n\n[Vulnerability Type]\nHeap Buffer Overflow\nOut-of-Bounds Write\n\n------------------------------------------\n\n[Vendor of Product]\nOpenHTJ2K\n\n------------------------------------------\n\n[Affected Product Code Base]\nOpenHTJ2K versions before v0.18.4\n\nFixed version: v0.18.4\nFix commit/tag: f77c1e9 / v0.18.4\n\n------------------------------------------\n\n[Affected Component]\nsource/core/coding/coding_units.cpp\n\nj2k_precinct_subband::parse_packet_header()\nj2k_codeblock::pass_length[128]\n\n------------------------------------------\n\n[Root Cause]\nThe PPM packet header parser updates the fixed-size\nj2k_codeblock::pass_length[128] array while increasing\nnum_passes, but vulnerable versions did not sufficiently\nvalidate that the updated number of coding passes stayed\nwithin the 128-entry pass_length array.\n\nWhen crafted packet header data causes num_passes and\nsegment_passes to exceed the pass_length capacity, the parser\nwrites beyond pass_length[128], resulting in heap memory\ncorruption.\n\n------------------------------------------\n\n[Attack Vectors]\nAn attacker can trigger the vulnerability by providing:\n\n1. A crafted J2K/JP2 codestream processed by the decoder or JPIP server.\n2. A malicious JPIP/JPP server response consumed by an OpenHTJ2K client.\n\nThe client-response path was reproduced by feeding malicious\nJPP response bytes through JPIP stream parsing, databin\nreassembly, and the OpenHTJ2K decoder path until\nj2k_precinct_subband::parse_packet_header() performed the\nout-of-bounds heap write.\n\n------------------------------------------\n\n[Impact]\nHeap memory corruption\n\nConfirmed impact:\n- Heap out-of-bounds write\n- Crash / denial of service\n- Neighboring j2k_codeblock object state corruption in crafted layouts\n- Later dereference of corrupted decoder state\n\nPotential impact:\n- Further exploitation may be possible depending on heap layout,\n  allocator behavior, ASLR, and availability of a stronger write\n  primitive.\n\nStable arbitrary write or RCE was investigated but not confirmed\nby the reporters.\n\n------------------------------------------\n\n[Fix]\nOpenHTJ2K v0.18.4 added kMaxCodingPasses = 128 and introduced\nbounds checks before updating num_passes in the vulnerable packet\nheader parsing paths.\n\nThe fix rejects malformed inputs before pass_length[128] can be\nwritten out of bounds.\n\n------------------------------------------\n\n[Reference]\nhttps://github.com/osamu620/OpenHTJ2K/releases/tag/v0.18.4\nhttps://github.com/osamu620/OpenHTJ2K/releases\n\n------------------------------------------\n\n[Discoverer]\nKANG DAEUN (SANGMYUNG UNIVERSITY, https://github.com/Daeun2046)\nOH HAN GUEL (SANGMYUNG UNIVERSITY, https://github.com/5asever40-a11y)\n", "creation_timestamp": "2026-07-10T12:26:14.303646Z"}