CVE-2020-27841
Description
OpenJPEG versions prior to 2.4.0 contain an out-of-bounds read flaw in src/lib/openjp2/pi.c, which can be triggered by crafted input, leading to application denial of service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OpenJPEG versions prior to 2.4.0 contain an out-of-bounds read flaw in src/lib/openjp2/pi.c, which can be triggered by crafted input, leading to application denial of service.
Vulnerability
A flaw exists in openjpeg versions prior to 2.4.0 in src/lib/openjp2/pi.c. When an attacker provides crafted input to be processed by the openjpeg encoder, this can cause an out-of-bounds read. The affected versions are all releases before 2.4.0 [1].
Exploitation
An attacker needs the ability to supply a crafted input file to the openjpeg encoder. No special privileges are required beyond the ability to deliver the malicious image. The exact sequence of steps is not detailed, but the flaw is reachable through the encoder's normal processing of the input [1].
Impact
The out-of-bounds read can cause the application to crash, leading to denial of service. The greatest impact from this flaw is to application availability [1]. The disclosure notes that arbitrary code execution is not indicated; the primary result is a crash [3].
Mitigation
Upgrade to openjpeg version 2.4.0 or later, which contains the fix [3]. For Red Hat Enterprise Linux 8, the shipped openjpeg2 is not affected because the vulnerable code was introduced after that release [1]. A general workaround is to avoid using openjpeg to process untrusted input if an upgrade cannot be applied [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
26- openjpeg/openjpegdescription
- osv-coords24 versionspkg:rpm/opensuse/openjpeg2&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/openjpeg2&distro=openSUSE%20Leap%2015.4pkg:rpm/suse/openjpeg2&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/openjpeg2&distro=SUSE%20Enterprise%20Storage%207pkg:rpm/suse/openjpeg2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/openjpeg2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/openjpeg2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-ESPOSpkg:rpm/suse/openjpeg2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/openjpeg2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/openjpeg2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/openjpeg2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3pkg:rpm/suse/openjpeg2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4pkg:rpm/suse/openjpeg2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP3pkg:rpm/suse/openjpeg2&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/openjpeg2&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/openjpeg2&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-BCLpkg:rpm/suse/openjpeg2&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/openjpeg2&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/openjpeg2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/openjpeg2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/openjpeg2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/openjpeg2&distro=SUSE%20Manager%20Proxy%204.1pkg:rpm/suse/openjpeg2&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.1pkg:rpm/suse/openjpeg2&distro=SUSE%20Manager%20Server%204.1
< 2.3.0-150000.3.8.1+ 23 more
- (no CPE)range: < 2.3.0-150000.3.8.1
- (no CPE)range: < 2.3.0-150000.3.8.1
- (no CPE)range: < 2.3.0-150000.3.8.1
- (no CPE)range: < 2.3.0-150000.3.8.1
- (no CPE)range: < 2.3.0-150000.3.8.1
- (no CPE)range: < 2.3.0-150000.3.8.1
- (no CPE)range: < 2.3.0-150000.3.8.1
- (no CPE)range: < 2.3.0-150000.3.8.1
- (no CPE)range: < 2.3.0-150000.3.8.1
- (no CPE)range: < 2.3.0-150000.3.8.1
- (no CPE)range: < 2.3.0-150000.3.8.1
- (no CPE)range: < 2.3.0-150000.3.8.1
- (no CPE)range: < 2.3.0-150000.3.8.1
- (no CPE)range: < 2.3.0-150000.3.8.1
- (no CPE)range: < 2.3.0-150000.3.8.1
- (no CPE)range: < 2.3.0-150000.3.8.1
- (no CPE)range: < 2.3.0-150000.3.8.1
- (no CPE)range: < 2.3.0-150000.3.8.1
- (no CPE)range: < 2.3.0-150000.3.8.1
- (no CPE)range: < 2.3.0-150000.3.8.1
- (no CPE)range: < 2.3.0-150000.3.8.1
- (no CPE)range: < 2.3.0-150000.3.8.1
- (no CPE)range: < 2.3.0-150000.3.8.1
- (no CPE)range: < 2.3.0-150000.3.8.1
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
7- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WJUPGIZE6A4O52EBOF75MCXJOL6MUCRV/mitrevendor-advisoryx_refsource_FEDORA
- security.gentoo.org/glsa/202101-29mitrevendor-advisoryx_refsource_GENTOO
- www.debian.org/security/2021/dsa-4882mitrevendor-advisoryx_refsource_DEBIAN
- bugzilla.redhat.com/show_bug.cgimitrex_refsource_MISC
- lists.debian.org/debian-lts-announce/2021/02/msg00011.htmlmitremailing-listx_refsource_MLIST
- www.oracle.com//security-alerts/cpujul2021.htmlmitrex_refsource_MISC
- www.oracle.com/security-alerts/cpuApr2021.htmlmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.