CVE-2026-1837

Publication date 11 February 2026

Last updated 30 June 2026


Ubuntu priority

Cvss 3 Severity Score

8.8 · High

Score breakdown

Description

A specially-crafted file can cause libjxl's decoder to write pixel data to uninitialized unallocated memory. Soon after that data from another uninitialized unallocated region is copied to pixel data. This can be done by requesting color transformation of grayscale images to another grayscale color space. Buffers allocated for 1-float-per-pixel are used as if they are allocated for 3-float-per-pixel. That happens only if LCMS2 is used as CMS engine. There is another CMS engine available (selected by build flags).

Status

Package Ubuntu Release Status
jpeg-xl 25.10 questing
Fixed 0.11.1-6ubuntu1.1
24.04 LTS noble
Not affected
22.04 LTS jammy Not in release

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
jpeg-xl

Severity score breakdown

CVSS version:

Base score 8.7 · High

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Base score 8.8 · High

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Related Ubuntu Security Notices (USN)

Other references


Access our resources on patching vulnerabilities