CVE-2026-1837
Published: 11 February 2026
Summary
CVE-2026-1837 is a high-severity Buffer Access with Incorrect Length Value (CWE-805) vulnerability in Libjxl Project Libjxl. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
This control implements explicit throttling on session allocation, addressing the weakness of allocating resources without limits.
Plan testing exercises resource allocation limits and throttling during simulated failures, directly addressing weaknesses that allow unbounded resource use.
Contingency plan updates ensure recovery strategies address unbounded resource allocation, making it harder for attackers to exploit lack of throttling to cause prolonged outages.
Provides continuity when unbounded resource allocation at the primary site leads to exhaustion and downtime.
Alternate services allow operations to continue when primary allocation of resources lacks limits or throttling.
Explicit planning of security-related actions requires defining limits, windows, and resource allocations, making allocation without throttling far less likely.
Measures of performance include tracking allocation behavior and throttling effectiveness, reducing the window for resource exhaustion attacks.
Imposes an inactivity-based limit on network resource allocation, throttling the number of concurrently held connections.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated supply of malicious JPEG XL image to image-processing services/apps enables exploitation of public-facing applications for endpoint DoS via crafted input triggering memory corruption crash.
NVD Description
A specially-crafted file can cause libjxl's decoder to write pixel data to uninitialized unallocated memory. Soon after that data from another uninitialized unallocated region is copied to pixel data. This can be done by requesting color transformation of grayscale images…
more
to another grayscale color space. Buffers allocated for 1-float-per-pixel are used as if they are allocated for 3-float-per-pixel. That happens only if LCMS2 is used as CMS engine. There is another CMS engine available (selected by build flags).
Deeper analysisAI
CVE-2026-1837 is a memory corruption vulnerability in the libjxl image decoding library. A specially-crafted JPEG XL file can trigger the decoder to write pixel data to uninitialized and unallocated memory regions. This occurs during color transformation of grayscale images to another grayscale color space, where buffers allocated for 1-float-per-pixel are incorrectly used as if allocated for 3-float-per-pixel. The issue affects builds of libjxl that use LCMS2 as the color management system (CMS) engine; an alternative CMS engine can be selected via build flags to avoid it. The vulnerability is rated 7.5 on the CVSS v3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-805 (Buffer Access with Incorrect Length Value) and CWE-770 (Allocation of Resources Without Limits or Throttling).
Attackers can exploit this vulnerability remotely without authentication or user interaction by supplying a malicious JPEG XL file to any application or service that processes images with libjxl's decoder and LCMS2 enabled. Successful exploitation leads to a denial of service through application crashes caused by the invalid memory accesses, with no reported impacts on confidentiality or integrity.
Details on the vulnerability, including potential patches or workarounds, are discussed in the libjxl GitHub issue at https://github.com/libjxl/libjxl/issues/4549.
Details
- CWE(s)