{"vulnerability": "cve-2026-5180", "sightings": [{"uuid": "79abd9c7-13fa-4ba8-8280-9f30bce2593b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-5180", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3midoe6pofu2o", "content": "", "creation_timestamp": "2026-03-31T07:40:21.070551Z"}, {"uuid": "0b3f8418-ef14-4e25-ad55-dacda24ff746", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-5180", "type": "published-proof-of-concept", "source": "Telegram/1iWaApiUM0jOADSkCxbAhXY3iS1qKmB0s9RsJgnPCTY34SA", "content": "", "creation_timestamp": "2026-03-31T07:15:33.000000Z"}, {"uuid": "107e1a3c-415b-48d5-8473-1a371d7cdb6f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-51807", "type": "seen", "source": "https://gist.github.com/5asever40-a11y/dcfa867b099a7782ad72ab7981427765", "content": "# CVE-2026-51807\n\nHeap buffer overflow in OpenHTJ2K PPM packet header parsing\nallows heap out-of-bounds write via a crafted J2K/JP2 codestream\nor malicious JPIP/JPP response.\n\n------------------------------------------\n\n[Vulnerability Type]\nHeap Buffer Overflow\nOut-of-Bounds Write\n\n------------------------------------------\n\n[Vendor of Product]\nOpenHTJ2K\n\n------------------------------------------\n\n[Affected Product Code Base]\nOpenHTJ2K versions before v0.18.4\n\nFixed version: v0.18.4\nFix commit/tag: f77c1e9 / v0.18.4\n\n------------------------------------------\n\n[Affected Component]\nsource/core/coding/coding_units.cpp\n\nj2k_precinct_subband::parse_packet_header()\nj2k_codeblock::pass_length[128]\n\n------------------------------------------\n\n[Root Cause]\nThe PPM packet header parser updates the fixed-size\nj2k_codeblock::pass_length[128] array while increasing\nnum_passes, but vulnerable versions did not sufficiently\nvalidate that the updated number of coding passes stayed\nwithin the 128-entry pass_length array.\n\nWhen crafted packet header data causes num_passes and\nsegment_passes to exceed the pass_length capacity, the parser\nwrites beyond pass_length[128], resulting in heap memory\ncorruption.\n\n------------------------------------------\n\n[Attack Vectors]\nAn attacker can trigger the vulnerability by providing:\n\n1. A crafted J2K/JP2 codestream processed by the decoder or JPIP server.\n2. A malicious JPIP/JPP server response consumed by an OpenHTJ2K client.\n\nThe client-response path was reproduced by feeding malicious\nJPP response bytes through JPIP stream parsing, databin\nreassembly, and the OpenHTJ2K decoder path until\nj2k_precinct_subband::parse_packet_header() performed the\nout-of-bounds heap write.\n\n------------------------------------------\n\n[Impact]\nHeap memory corruption\n\nConfirmed impact:\n- Heap out-of-bounds write\n- Crash / denial of service\n- Neighboring j2k_codeblock object state corruption in crafted layouts\n- Later dereference of corrupted decoder state\n\nPotential impact:\n- Further exploitation may be possible depending on heap layout,\n  allocator behavior, ASLR, and availability of a stronger write\n  primitive.\n\nStable arbitrary write or RCE was investigated but not confirmed\nby the reporters.\n\n------------------------------------------\n\n[Fix]\nOpenHTJ2K v0.18.4 added kMaxCodingPasses = 128 and introduced\nbounds checks before updating num_passes in the vulnerable packet\nheader parsing paths.\n\nThe fix rejects malformed inputs before pass_length[128] can be\nwritten out of bounds.\n\n------------------------------------------\n\n[Reference]\nhttps://github.com/osamu620/OpenHTJ2K/releases/tag/v0.18.4\nhttps://github.com/osamu620/OpenHTJ2K/releases\n\n------------------------------------------\n\n[Discoverer]\nKANG DAEUN (SANGMYUNG UNIVERSITY, https://github.com/Daeun2046)\nOH HAN GUEL (SANGMYUNG UNIVERSITY, https://github.com/5asever40-a11y)\n", "creation_timestamp": "2026-07-10T12:26:14.303646Z"}, {"uuid": "969b6fc4-e6f4-4834-9209-ac54fa68a7c9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-51808", "type": "seen", "source": "https://gist.github.com/5asever40-a11y/037cd04eda92cc2cebf84ab8d375b878", "content": "# CVE-2026-51808\n\nSOT out-of-bounds tile index handling in OpenHTJ2K allows\nheap out-of-bounds access and confirmed JPIP server-side\nheap information disclosure via a crafted J2K/JP2 codestream.\n\n------------------------------------------\n\n[Vulnerability Type]\nOut-of-Bounds Access\nOut-of-Bounds Read/Write\nInformation Disclosure\n\n------------------------------------------\n\n[Vendor of Product]\nOpenHTJ2K\n\n------------------------------------------\n\n[Affected Product Code Base]\nOpenHTJ2K versions before v0.18.5\n\nFixed version: v0.18.5\nFix commit/tag: a874649 / v0.18.5\n\n------------------------------------------\n\n[Affected Component]\nsource/core/interface/decoder.cpp\n\nSOT tile-part dispatch\nUnchecked Isot field from the SOT marker\nj2k_tile::add_tile_part()\n\n------------------------------------------\n\n[Root Cause]\nThe decoder used the Isot tile index from the SOT marker to\ndispatch tile parts through tileSet without first validating that\nthe index was smaller than tileSet.size().\n\nIn vulnerable versions, a crafted codestream could specify an\nout-of-range SOT tile index. This caused tileSet[tile_index] to\naccess memory outside the valid tileSet allocation and reach\nj2k_tile::add_tile_part() through an invalid tile object.\n\n------------------------------------------\n\n[Attack Vectors]\nAn attacker can trigger the vulnerability with a crafted J2K/JP2\ncodestream containing an out-of-range SOT Isot tile index.\n\nThe issue is reachable during JPIP server startup codestream\nloading through PacketLocator::build(), and also through public\ndecoder entry points such as invoke(), invoke_line_based(),\ninvoke_line_based_stream(), and invoke_line_based_predecoded().\n\n------------------------------------------\n\n[Impact]\nHeap out-of-bounds access and information disclosure\n\nConfirmed impact:\n- Heap out-of-bounds access in tile-part dispatch\n- Heap OOB read/write behavior\n- Server-surviving JPIP heap information leak\n- Heap pointer-like values reflected in JPIP tile-header data-bin responses\n\nIn reporter testing, a crafted codestream caused heap pointer\nvalues written by j2k_tile::add_tile_part() into memory adjacent\nto the tileSet allocation to be reflected back to the client via\nsubsequent JPIP tile-header data-bin responses.\n\n------------------------------------------\n\n[Fix]\nOpenHTJ2K v0.18.5 added validation to reject out-of-range SOT\ntile indices before dispatching tile parts.\n\nThe fix checks tile_index &gt;= tileSet.size() at all four SOT\ndispatch sites in source/core/interface/decoder.cpp. Malformed\ninputs with Isot &gt;= numTiles are now rejected at parse time\ninstead of silently corrupting heap memory.\n\n------------------------------------------\n\n[Reference]\nhttps://github.com/osamu620/OpenHTJ2K/releases/tag/v0.18.5\nhttps://github.com/osamu620/OpenHTJ2K/releases\n\n------------------------------------------\n\n[Discoverer]\nKANG DAEUN (SANGMYUNG UNIVERSITY, https://github.com/Daeun2046)\nOH HAN GUEL (SANGMYUNG UNIVERSITY, https://github.com/5asever40-a11y)\n", "creation_timestamp": "2026-07-10T14:09:21.869430Z"}, {"uuid": "99954543-ef08-4519-b6ba-d24afd0d73d1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-51807", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mqnfu3brq72t", "content": "CVE-2026-51807 - OpenHTJ2K Buffer Overflow Vulnerability\nCVE ID : CVE-2026-51807\n \n Published : July 14, 2026, 11:17 p.m. | 14\u00a0minutes ago\n \n Description : Buffer Overflow vulnerability in OpenHTJ2K v.0.18.4 and before allows an attacker to execute arbitrary code via the j2k_p...", "creation_timestamp": "2026-07-14T23:56:20.893591Z"}, {"uuid": "7a97adbd-d75f-4e33-b4ff-f916201e7122", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-51808", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mqng6v6lcp2w", "content": "CVE-2026-51808 - OpenHTJ2K Buffer Overflow Vulnerability\nCVE ID : CVE-2026-51808\n \n Published : July 14, 2026, 11:17 p.m. | 14\u00a0minutes ago\n \n Description : Buffer Overflow vulnerability in OpenHTJ2K v.0.18.4 and before allows an attacker to execute arbitrary code via the openh...", "creation_timestamp": "2026-07-15T00:02:23.558621Z"}, {"uuid": "f4cd7ba5-a1e8-4f12-a70a-21425d91865d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-51808", "type": "seen", "source": "https://bsky.app/profile/stackflag.bsky.social/post/3mqox4px6yq2j", "content": "CVE-2026-51808\nA vulnerability in OpenHTJ2K versions 0.18.4 and earlier allows attackers to run unauthorized code on a system. This could lead to data theft or system compromise. Update to the latest version of OpenHTJ2K to\u2026\n\nToo many irrelevant or confusing CVEs? Use stackflag.com\n\n#CVE #infosec", "creation_timestamp": "2026-07-15T14:38:04.254582Z"}, {"uuid": "ba0bca7e-699c-42df-b4c4-209a7782ad57", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-51807", "type": "seen", "source": "https://bsky.app/profile/stackflag.bsky.social/post/3mqp2sskhc32c", "content": "CVE-2026-51807\nOpenHTJ2K, a Java library for handling JPEG 2000 files, has a security issue that could allow an attacker to run unauthorized code on a system by sending it a specially crafted file. This is a serious issue\u2026\n\nToo many irrelevant or confusing CVEs? Use stackflag.com\n\n#CVE #infosec", "creation_timestamp": "2026-07-15T15:44:06.440319Z"}]}