CVE-2018-6616

Vulnerability

In OpenJPEG 2.3.0, the opj_t1_encode_cblks function in openjp2/t1.c contains an excessive iteration issue. The function contains nested loops over components, resolutions, bands, precincts, and code-blocks. An attacker can craft a BMP file that manipulates loop termination variables (such as prc->cw * prc->ch and res->pw * res->ph) to cause the function to iterate for an extremely long time, effectively hanging the compression process. The issue is present in version 2.3.0 and the master branch [1].

Exploitation

An attacker must deliver a specially crafted BMP file to a user or service that uses opj_compress (or any application leveraging the library's compression functionality) with the vulnerable version. The exploit requires no authentication or special privileges beyond the ability to provide the BMP file as input. The attacker triggers the excessive iteration by running a command such as ./opj_compress -n 1 -i $POC -o /tmp/null.j2k, where the POC file is a 144-byte BMP that causes OpenJPEG to spend more than 15 minutes in the nested loops, resulting in denial of service [1].

Impact

Successful exploitation results in a denial of service, as the compression process becomes unresponsive for an extended period or indefinitely. This can lead to resource exhaustion and unavailability of the affected service or system. The impact is limited to availability; there is no evidence of information disclosure or code execution [1].

Mitigation

The upstream OpenJPEG project has not released a patched version for this specific issue as of the reference date (February 2018). The issue is distinct from #996, which was fixed in commit 5597522, but CVE-2018-6616 remains unaddressed in the reference. Users should monitor the OpenJPEG repository for future updates. Until a fix is available, avoid processing untrusted BMP files with OpenJPEG's compression functionality. This CVE is not listed in CISA's Known Exploited Vulnerabilities catalog.