CVE-2020-27843
Description
OpenJPEG before 2.4.0 has an out-of-bounds read in opj_t2_encode_packet, allowing denial of service via crafted input.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OpenJPEG before 2.4.0 has an out-of-bounds read in `opj_t2_encode_packet`, allowing denial of service via crafted input.
Vulnerability
CVE-2020-27843 is an out-of-bounds read vulnerability in OpenJPEG, a JPEG 2000 library, affecting versions prior to 2.4.0. The flaw exists in the opj_t2_encode_packet function in openjp2/t2.c. An attacker can provide specially crafted input to the conversion or encoding functionality, triggering an out-of-bounds read [1].
Exploitation
An attacker requires the ability to supply a specially crafted input file to OpenJPEG's conversion or encoding tools, such as opj_compress or opj_decompress. No authentication or special network position is needed if the victim processes the attacker-controlled file. The out-of-bounds read occurs during the processing of tile-part packets in the JPEG 2000 encoding path [1].
Impact
Successful exploitation leads to an out-of-bounds read, which can cause the application to crash or disclose sensitive memory. The highest threat according to the vendor is system availability (denial of service) [1]. The vulnerability does not appear to allow arbitrary code execution directly, but reading out-of-bounds may reveal sensitive information.
Mitigation
A fix was released in OpenJPEG version 2.4.0. Users should upgrade to >=media-libs/openjpeg-2.4.0:2 to address this vulnerability [3]. The Gentoo security advisory (GLSA 202101-29) recommends this update, and no workarounds are known [3]. The Red Hat Bugzilla entry indicates the issue is closed as ERRATA.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
50- OpenJPEG/OpenJPEGdescription
- osv-coords48 versionspkg:rpm/almalinux/openjpeg2pkg:rpm/almalinux/openjpeg2-develpkg:rpm/almalinux/openjpeg2-devel-docspkg:rpm/almalinux/openjpeg2-toolspkg:rpm/opensuse/openjpeg2&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/openjpeg2&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/openjpeg&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/openjpeg&distro=openSUSE%20Leap%2015.4pkg:rpm/suse/openjpeg2&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/openjpeg2&distro=SUSE%20Enterprise%20Storage%207pkg:rpm/suse/openjpeg2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/openjpeg2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/openjpeg2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-ESPOSpkg:rpm/suse/openjpeg2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/openjpeg2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/openjpeg2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/openjpeg2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3pkg:rpm/suse/openjpeg2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4pkg:rpm/suse/openjpeg2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP3pkg:rpm/suse/openjpeg2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/openjpeg2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/openjpeg2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/openjpeg2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/openjpeg2&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/openjpeg2&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/openjpeg2&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-BCLpkg:rpm/suse/openjpeg2&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/openjpeg2&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/openjpeg2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/openjpeg2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/openjpeg2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/openjpeg2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/openjpeg2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/openjpeg2&distro=SUSE%20Manager%20Proxy%204.1pkg:rpm/suse/openjpeg2&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.1pkg:rpm/suse/openjpeg2&distro=SUSE%20Manager%20Server%204.1pkg:rpm/suse/openjpeg2&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/openjpeg2&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/openjpeg&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-ESPOSpkg:rpm/suse/openjpeg&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/openjpeg&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/openjpeg&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/openjpeg&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP3pkg:rpm/suse/openjpeg&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP4pkg:rpm/suse/openjpeg&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/openjpeg&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-BCLpkg:rpm/suse/openjpeg&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/openjpeg&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015
< 2.4.0-4.el8+ 47 more
- (no CPE)range: < 2.4.0-4.el8
- (no CPE)range: < 2.4.0-4.el8
- (no CPE)range: < 2.4.0-4.el8
- (no CPE)range: < 2.4.0-4.el8
- (no CPE)range: < 2.3.0-150000.3.8.1
- (no CPE)range: < 2.3.0-150000.3.8.1
- (no CPE)range: < 1.5.2-150000.4.10.1
- (no CPE)range: < 1.5.2-150000.4.10.1
- (no CPE)range: < 2.3.0-150000.3.8.1
- (no CPE)range: < 2.3.0-150000.3.8.1
- (no CPE)range: < 2.3.0-150000.3.8.1
- (no CPE)range: < 2.3.0-150000.3.8.1
- (no CPE)range: < 2.3.0-150000.3.8.1
- (no CPE)range: < 2.3.0-150000.3.8.1
- (no CPE)range: < 2.3.0-150000.3.8.1
- (no CPE)range: < 2.3.0-150000.3.8.1
- (no CPE)range: < 2.3.0-150000.3.8.1
- (no CPE)range: < 2.3.0-150000.3.8.1
- (no CPE)range: < 2.3.0-150000.3.8.1
- (no CPE)range: < 2.1.0-4.18.2
- (no CPE)range: < 2.1.0-4.18.2
- (no CPE)range: < 2.1.0-4.18.2
- (no CPE)range: < 2.1.0-4.18.2
- (no CPE)range: < 2.3.0-150000.3.8.1
- (no CPE)range: < 2.3.0-150000.3.8.1
- (no CPE)range: < 2.3.0-150000.3.8.1
- (no CPE)range: < 2.3.0-150000.3.8.1
- (no CPE)range: < 2.3.0-150000.3.8.1
- (no CPE)range: < 2.1.0-4.18.2
- (no CPE)range: < 2.1.0-4.18.2
- (no CPE)range: < 2.3.0-150000.3.8.1
- (no CPE)range: < 2.3.0-150000.3.8.1
- (no CPE)range: < 2.3.0-150000.3.8.1
- (no CPE)range: < 2.3.0-150000.3.8.1
- (no CPE)range: < 2.3.0-150000.3.8.1
- (no CPE)range: < 2.3.0-150000.3.8.1
- (no CPE)range: < 2.1.0-4.18.2
- (no CPE)range: < 2.1.0-4.18.2
- (no CPE)range: < 1.5.2-150000.4.10.1
- (no CPE)range: < 1.5.2-150000.4.10.1
- (no CPE)range: < 1.5.2-150000.4.10.1
- (no CPE)range: < 1.5.2-150000.4.10.1
- (no CPE)range: < 1.5.2-150000.4.10.1
- (no CPE)range: < 1.5.2-150000.4.10.1
- (no CPE)range: < 1.5.2-150000.4.10.1
- (no CPE)range: < 1.5.2-150000.4.10.1
- (no CPE)range: < 1.5.2-150000.4.10.1
- (no CPE)range: < 1.5.2-150000.4.10.1
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
7- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WJUPGIZE6A4O52EBOF75MCXJOL6MUCRV/mitrevendor-advisoryx_refsource_FEDORA
- security.gentoo.org/glsa/202101-29mitrevendor-advisoryx_refsource_GENTOO
- www.debian.org/security/2021/dsa-4882mitrevendor-advisoryx_refsource_DEBIAN
- bugzilla.redhat.com/show_bug.cgimitrex_refsource_MISC
- lists.debian.org/debian-lts-announce/2022/04/msg00006.htmlmitremailing-listx_refsource_MLIST
- www.oracle.com//security-alerts/cpujul2021.htmlmitrex_refsource_MISC
- www.oracle.com/security-alerts/cpuApr2021.htmlmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.