CVE-2020-6851

Vulnerability

A heap-based buffer overflow exists in OpenJPEG through version 2.3.1 (including the current master branch at commit ac37373) within the opj_t1_clbl_decode_processor function in openjp2/t1.c. The root cause is the lack of validation when calling opj_j2k_update_image_dimensions, which allows an attacker to craft a malicious JPEG2000 image that triggers an out-of-bounds write during tile decoding [1][2][3].

Exploitation

An attacker must supply a specially crafted JPEG2000 file that, when processed by an application using the affected OpenJPEG library, causes opj_j2k_update_image_dimensions to compute invalid image dimensions. Decoding then leads to a heap buffer overflow in opj_t1_clbl_decode_processor, as demonstrated by the address sanitizer stack trace showing a write of size 4 to an out-of-bounds heap address. No special privileges or network position beyond providing the file to a vulnerable system is required; user interaction is limited to opening or processing the malformed image [3].

Impact

Successful exploitation results in a heap-based buffer overflow, which can cause a denial of service (crash) and may allow an attacker to corrupt memory. Depending on the context, this could potentially lead to arbitrary code execution or other memory-related compromises, though the public references primarily demonstrate a crash [2][3].

Mitigation

Red Hat has released patches for RHEL 7 and RHEL 8 distributions (openjpeg2 updated to versions 2.3.1-2.el8_1 and 2.3.0-9.el8_0, respectively) via advisories RHSA-2020:0262, RHSA-2020:0274, and RHSA-2020:0296 [1][2][4]. Users of other platforms should update to a version incorporating the fix (after 2.3.1). No workaround is available if the library cannot be updated; the recommended action is to apply the vendor-provided patch or upgrade to a corrected release.