Cyber Resilience

CVE-2026-1837

HighPublic PoCDDoSUpdated

Published: 11 February 2026

Published
11 February 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0017 6.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-1837 is a high-severity Buffer Access with Incorrect Length Value (CWE-805) vulnerability in Libjxl Project Libjxl. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-1837 is a memory corruption vulnerability in the libjxl image decoding library. A specially-crafted JPEG XL file can trigger the decoder to write pixel data to uninitialized and unallocated memory regions. This occurs during color transformation of grayscale images to another grayscale color space, where buffers allocated for 1-float-per-pixel are incorrectly used as if allocated for 3-float-per-pixel. The issue affects builds of libjxl that use LCMS2 as the color management system (CMS) engine; an alternative CMS engine can be selected via build flags to avoid it. The vulnerability is rated 7.5 on the CVSS v3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-805 (Buffer Access with Incorrect Length Value) and CWE-770 (Allocation of Resources Without Limits or Throttling).

Attackers can exploit this vulnerability remotely without authentication or user interaction by supplying a malicious JPEG XL file to any application or service that processes images with libjxl's decoder and LCMS2 enabled. Successful exploitation leads to a denial of service through application crashes caused by the invalid memory accesses, with no reported impacts on confidentiality or integrity.

Details on the vulnerability, including potential patches or workarounds, are discussed in the libjxl GitHub issue at https://github.com/libjxl/libjxl/issues/4549.

EU & UK References

Vulnerability details

A specially-crafted file can cause libjxl's decoder to write pixel data to uninitialized unallocated memory. Soon after that data from another uninitialized unallocated region is copied to pixel data. This can be done by requesting color transformation of grayscale images…

more

to another grayscale color space. Buffers allocated for 1-float-per-pixel are used as if they are allocated for 3-float-per-pixel. That happens only if LCMS2 is used as CMS engine. There is another CMS engine available (selected by build flags).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote unauthenticated supply of malicious JPEG XL image to image-processing services/apps enables exploitation of public-facing applications for endpoint DoS via crafted input triggering memory corruption crash.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-1059Shared CWE-770
CVE-2026-29181Shared CWE-770
CVE-2025-13929Shared CWE-770
CVE-2026-28461Shared CWE-770
CVE-2026-5439Shared CWE-770
CVE-2026-1102Shared CWE-770
CVE-2026-33034Shared CWE-770
CVE-2020-36907Shared CWE-770
CVE-2024-12705Shared CWE-770
CVE-2026-20103Shared CWE-770

Affected Assets

libjxl project
libjxl
0.9.0 — 0.11.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely installation of patches or updates to remediate the specific memory corruption vulnerability in libjxl's decoder as detailed in the GitHub issue.

prevent

Implements memory protection mechanisms like ASLR and DEP to prevent or limit exploitation of invalid writes to uninitialized unallocated memory regions during libjxl decoding.

prevent

Mandates secure configuration settings, such as building libjxl with the alternative CMS engine instead of LCMS2, to avoid the vulnerable grayscale color transformation path entirely.

References