CVE-2026-1837
Published: 11 February 2026
Summary
CVE-2026-1837 is a high-severity Buffer Access with Incorrect Length Value (CWE-805) vulnerability in Libjxl Project Libjxl. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-16 (Memory Protection).
Deeper analysis
CVE-2026-1837 is a memory corruption vulnerability in the libjxl image decoding library. A specially-crafted JPEG XL file can trigger the decoder to write pixel data to uninitialized and unallocated memory regions. This occurs during color transformation of grayscale images to another grayscale color space, where buffers allocated for 1-float-per-pixel are incorrectly used as if allocated for 3-float-per-pixel. The issue affects builds of libjxl that use LCMS2 as the color management system (CMS) engine; an alternative CMS engine can be selected via build flags to avoid it. The vulnerability is rated 7.5 on the CVSS v3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-805 (Buffer Access with Incorrect Length Value) and CWE-770 (Allocation of Resources Without Limits or Throttling).
Attackers can exploit this vulnerability remotely without authentication or user interaction by supplying a malicious JPEG XL file to any application or service that processes images with libjxl's decoder and LCMS2 enabled. Successful exploitation leads to a denial of service through application crashes caused by the invalid memory accesses, with no reported impacts on confidentiality or integrity.
Details on the vulnerability, including potential patches or workarounds, are discussed in the libjxl GitHub issue at https://github.com/libjxl/libjxl/issues/4549.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-6177
Vulnerability details
A specially-crafted file can cause libjxl's decoder to write pixel data to uninitialized unallocated memory. Soon after that data from another uninitialized unallocated region is copied to pixel data. This can be done by requesting color transformation of grayscale images…
more
to another grayscale color space. Buffers allocated for 1-float-per-pixel are used as if they are allocated for 3-float-per-pixel. That happens only if LCMS2 is used as CMS engine. There is another CMS engine available (selected by build flags).
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated supply of malicious JPEG XL image to image-processing services/apps enables exploitation of public-facing applications for endpoint DoS via crafted input triggering memory corruption crash.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely installation of patches or updates to remediate the specific memory corruption vulnerability in libjxl's decoder as detailed in the GitHub issue.
Implements memory protection mechanisms like ASLR and DEP to prevent or limit exploitation of invalid writes to uninitialized unallocated memory regions during libjxl decoding.
Mandates secure configuration settings, such as building libjxl with the alternative CMS engine instead of LCMS2, to avoid the vulnerable grayscale color transformation path entirely.