{"vulnerability": "cve-2026-51808", "sightings": [{"uuid": "969b6fc4-e6f4-4834-9209-ac54fa68a7c9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-51808", "type": "seen", "source": "https://gist.github.com/5asever40-a11y/037cd04eda92cc2cebf84ab8d375b878", "content": "# CVE-2026-51808\n\nSOT out-of-bounds tile index handling in OpenHTJ2K allows\nheap out-of-bounds access and confirmed JPIP server-side\nheap information disclosure via a crafted J2K/JP2 codestream.\n\n------------------------------------------\n\n[Vulnerability Type]\nOut-of-Bounds Access\nOut-of-Bounds Read/Write\nInformation Disclosure\n\n------------------------------------------\n\n[Vendor of Product]\nOpenHTJ2K\n\n------------------------------------------\n\n[Affected Product Code Base]\nOpenHTJ2K versions before v0.18.5\n\nFixed version: v0.18.5\nFix commit/tag: a874649 / v0.18.5\n\n------------------------------------------\n\n[Affected Component]\nsource/core/interface/decoder.cpp\n\nSOT tile-part dispatch\nUnchecked Isot field from the SOT marker\nj2k_tile::add_tile_part()\n\n------------------------------------------\n\n[Root Cause]\nThe decoder used the Isot tile index from the SOT marker to\ndispatch tile parts through tileSet without first validating that\nthe index was smaller than tileSet.size().\n\nIn vulnerable versions, a crafted codestream could specify an\nout-of-range SOT tile index. This caused tileSet[tile_index] to\naccess memory outside the valid tileSet allocation and reach\nj2k_tile::add_tile_part() through an invalid tile object.\n\n------------------------------------------\n\n[Attack Vectors]\nAn attacker can trigger the vulnerability with a crafted J2K/JP2\ncodestream containing an out-of-range SOT Isot tile index.\n\nThe issue is reachable during JPIP server startup codestream\nloading through PacketLocator::build(), and also through public\ndecoder entry points such as invoke(), invoke_line_based(),\ninvoke_line_based_stream(), and invoke_line_based_predecoded().\n\n------------------------------------------\n\n[Impact]\nHeap out-of-bounds access and information disclosure\n\nConfirmed impact:\n- Heap out-of-bounds access in tile-part dispatch\n- Heap OOB read/write behavior\n- Server-surviving JPIP heap information leak\n- Heap pointer-like values reflected in JPIP tile-header data-bin responses\n\nIn reporter testing, a crafted codestream caused heap pointer\nvalues written by j2k_tile::add_tile_part() into memory adjacent\nto the tileSet allocation to be reflected back to the client via\nsubsequent JPIP tile-header data-bin responses.\n\n------------------------------------------\n\n[Fix]\nOpenHTJ2K v0.18.5 added validation to reject out-of-range SOT\ntile indices before dispatching tile parts.\n\nThe fix checks tile_index &gt;= tileSet.size() at all four SOT\ndispatch sites in source/core/interface/decoder.cpp. Malformed\ninputs with Isot &gt;= numTiles are now rejected at parse time\ninstead of silently corrupting heap memory.\n\n------------------------------------------\n\n[Reference]\nhttps://github.com/osamu620/OpenHTJ2K/releases/tag/v0.18.5\nhttps://github.com/osamu620/OpenHTJ2K/releases\n\n------------------------------------------\n\n[Discoverer]\nKANG DAEUN (SANGMYUNG UNIVERSITY, https://github.com/Daeun2046)\nOH HAN GUEL (SANGMYUNG UNIVERSITY, https://github.com/5asever40-a11y)\n", "creation_timestamp": "2026-07-10T14:09:21.869430Z"}, {"uuid": "7a97adbd-d75f-4e33-b4ff-f916201e7122", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-51808", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mqng6v6lcp2w", "content": "CVE-2026-51808 - OpenHTJ2K Buffer Overflow Vulnerability\nCVE ID : CVE-2026-51808\n \n Published : July 14, 2026, 11:17 p.m. | 14\u00a0minutes ago\n \n Description : Buffer Overflow vulnerability in OpenHTJ2K v.0.18.4 and before allows an attacker to execute arbitrary code via the openh...", "creation_timestamp": "2026-07-15T00:02:23.558621Z"}, {"uuid": "f4cd7ba5-a1e8-4f12-a70a-21425d91865d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-51808", "type": "seen", "source": "https://bsky.app/profile/stackflag.bsky.social/post/3mqox4px6yq2j", "content": "CVE-2026-51808\nA vulnerability in OpenHTJ2K versions 0.18.4 and earlier allows attackers to run unauthorized code on a system. This could lead to data theft or system compromise. Update to the latest version of OpenHTJ2K to\u2026\n\nToo many irrelevant or confusing CVEs? Use stackflag.com\n\n#CVE #infosec", "creation_timestamp": "2026-07-15T14:38:04.254582Z"}]}