CVE-2018-5268
Description
In OpenCV 3.3.1, a heap-based buffer overflow happens in cv::Jpeg2KDecoder::readComponent8u in modules/imgcodecs/src/grfmt_jpeg2000.cpp when parsing a crafted image file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A heap-based buffer overflow in OpenCV 3.3.1's Jpeg2KDecoder when parsing crafted JPEG2000 images can lead to denial of service or potential code execution.
Vulnerability
A heap-based buffer overflow exists in cv::Jpeg2KDecoder::readComponent8u in modules/imgcodecs/src/grfmt_jpeg2000.cpp of OpenCV 3.3.1 [4]. The vulnerability occurs when the function decodes a crafted JPEG2000 image without properly validating component data, leading to an out-of-bounds write. The issue was reported in OpenCV issue #10541 [4] and addressed in a subsequent fix [2].
Exploitation
An attacker can exploit this flaw by supplying a specially crafted JPEG2000 image file to an application that uses OpenCV's imread() or similar decoding functions. No authentication or special privileges are required; the attack can be remote if the victim opens the malicious image from an untrusted source. The overflow is triggered during the readComponent8u function when a component data type mismatch causes a write past the end of the allocated heap buffer [4].
Impact
Successful exploitation corrupts heap memory, which typically results in a denial-of-service (application crash). Under favorable conditions, the attacker may achieve arbitrary code execution with the privileges of the process. The AddressSanitizer trace in the issue report [4] confirms a 1-byte write overflow adjacent to a 6-byte allocation, confirming the heap buffer overflow nature of the flaw.
Mitigation
The fix was committed to OpenCV's master branch via pull request #10566 [2] and is included in OpenCV versions starting from 3.4. Users should upgrade to OpenCV 3.4 or later. For installations running version 3.3.1 or earlier where an upgrade is not possible, avoid processing JPEG2000 images from untrusted sources. No other workaround is available in the affected version.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
opencv-pythonPyPI | < 3.4.1.15 | 3.4.1.15 |
opencv-contrib-pythonPyPI | < 3.4.1.15 | 3.4.1.15 |
Affected products
2- ghsa-coords2 versions
< 3.4.1.15+ 1 more
- (no CPE)range: < 3.4.1.15
- (no CPE)range: < 3.4.1.15
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- github.com/advisories/GHSA-9g8h-pjm4-q92pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-5268ghsaADVISORY
- www.securityfocus.com/bid/106945ghsavdb-entryx_refsource_BIDWEB
- github.com/opencv/opencv/issues/10541ghsax_refsource_MISCWEB
- github.com/opencv/opencv/pull/10566/commits/435a3e337bd9d4e11af61cf8b8afca067bf1a8aaghsaWEB
- lists.debian.org/debian-lts-announce/2018/04/msg00019.htmlghsamailing-listx_refsource_MLISTWEB
- lists.debian.org/debian-lts-announce/2018/07/msg00030.htmlghsamailing-listx_refsource_MLISTWEB
- lists.debian.org/debian-lts-announce/2021/10/msg00028.htmlghsamailing-listx_refsource_MLISTWEB
News mentions
0No linked articles in our index yet.