CVE-2020-8112
Description
A heap-buffer-overflow in OpenJPEG's opj_t1_clbl_decode_processor allows remote code execution via crafted JPEG2000 images.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A heap-buffer-overflow in OpenJPEG's `opj_t1_clbl_decode_processor` allows remote code execution via crafted JPEG2000 images.
Vulnerability
A heap-based buffer overflow exists in the opj_t1_clbl_decode_processor function in openjp2/t1.c of OpenJPEG versions 2.3.1 through 2020-01-28, in the qmfbid==1 code path. The overflow is triggered during the decoding of specially crafted JPEG2000 images [3].
Exploitation
An attacker can exploit this vulnerability by providing a malicious JPEG2000 image file to an application using the vulnerable OpenJPEG library. Processing the image (e.g., via opj_decompress) triggers a heap buffer overflow [3]. No authentication or special privileges are required; only the ability to deliver a crafted file and have it decoded.
Impact
Successful exploitation allows an attacker to write out-of-bounds on the heap, which may lead to arbitrary code execution or denial of service. Red Hat rated this as Important severity [2][4].
Mitigation
Red Hat released updated packages for Red Hat Enterprise Linux 7 (RHSA-2020:0550) [2], 8 (RHSA-2020:0570) [1], and 8.0 SAP Solutions (RHSA-2020:0569) [4]. The fixed version is openjpeg2-2.3.1-3.el8_1 [1] or equivalent. Users should update to the patched version; as a workaround, only process trusted JPEG2000 images.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
60- OpenJPEG/OpenJPEGdescription
- osv-coords58 versionspkg:rpm/opensuse/openjpeg2&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/openjpeg&distro=openSUSE%20Leap%2015.3pkg:rpm/suse/openjpeg2&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/openjpeg2&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/openjpeg2&distro=SUSE%20Enterprise%20Storage%207pkg:rpm/suse/openjpeg2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/openjpeg2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/openjpeg2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-ESPOSpkg:rpm/suse/openjpeg2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/openjpeg2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/openjpeg2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/openjpeg2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3pkg:rpm/suse/openjpeg2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP3pkg:rpm/suse/openjpeg2&distro=SUSE%20Linux%20Enterprise%20Real%20Time%2015%20SP2pkg:rpm/suse/openjpeg2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/openjpeg2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/openjpeg2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-LTSSpkg:rpm/suse/openjpeg2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/openjpeg2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/openjpeg2&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/openjpeg2&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/openjpeg2&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-BCLpkg:rpm/suse/openjpeg2&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/openjpeg2&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/openjpeg2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/openjpeg2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/openjpeg2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/openjpeg2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/openjpeg2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/openjpeg2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/openjpeg2&distro=SUSE%20Manager%20Proxy%204.1pkg:rpm/suse/openjpeg2&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.1pkg:rpm/suse/openjpeg2&distro=SUSE%20Manager%20Server%204.1pkg:rpm/suse/openjpeg2&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/openjpeg2&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/openjpeg2&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/openjpeg2&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/openjpeg&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/openjpeg&distro=SUSE%20Enterprise%20Storage%207pkg:rpm/suse/openjpeg&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/openjpeg&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/openjpeg&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-ESPOSpkg:rpm/suse/openjpeg&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/openjpeg&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/openjpeg&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/openjpeg&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP3pkg:rpm/suse/openjpeg&distro=SUSE%20Linux%20Enterprise%20Real%20Time%2015%20SP2pkg:rpm/suse/openjpeg&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/openjpeg&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/openjpeg&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-BCLpkg:rpm/suse/openjpeg&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/openjpeg&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/openjpeg&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/openjpeg&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/openjpeg&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/openjpeg&distro=SUSE%20Manager%20Proxy%204.1pkg:rpm/suse/openjpeg&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.1pkg:rpm/suse/openjpeg&distro=SUSE%20Manager%20Server%204.1
< 2.3.0-150000.3.5.1+ 57 more
- (no CPE)range: < 2.3.0-150000.3.5.1
- (no CPE)range: < 1.5.2-150000.4.5.1
- (no CPE)range: < 2.1.0-4.15.1
- (no CPE)range: < 2.3.0-150000.3.5.1
- (no CPE)range: < 2.3.0-150000.3.5.1
- (no CPE)range: < 2.3.0-150000.3.5.1
- (no CPE)range: < 2.3.0-150000.3.5.1
- (no CPE)range: < 2.3.0-150000.3.5.1
- (no CPE)range: < 2.3.0-150000.3.5.1
- (no CPE)range: < 2.3.0-150000.3.5.1
- (no CPE)range: < 2.3.0-150000.3.5.1
- (no CPE)range: < 2.3.0-150000.3.5.1
- (no CPE)range: < 2.3.0-150000.3.5.1
- (no CPE)range: < 2.3.0-150000.3.5.1
- (no CPE)range: < 2.1.0-4.15.1
- (no CPE)range: < 2.1.0-4.15.1
- (no CPE)range: < 2.1.0-4.15.1
- (no CPE)range: < 2.1.0-4.15.1
- (no CPE)range: < 2.1.0-4.15.1
- (no CPE)range: < 2.3.0-150000.3.5.1
- (no CPE)range: < 2.3.0-150000.3.5.1
- (no CPE)range: < 2.3.0-150000.3.5.1
- (no CPE)range: < 2.3.0-150000.3.5.1
- (no CPE)range: < 2.3.0-150000.3.5.1
- (no CPE)range: < 2.1.0-4.15.1
- (no CPE)range: < 2.1.0-4.15.1
- (no CPE)range: < 2.1.0-4.15.1
- (no CPE)range: < 2.3.0-150000.3.5.1
- (no CPE)range: < 2.3.0-150000.3.5.1
- (no CPE)range: < 2.3.0-150000.3.5.1
- (no CPE)range: < 2.3.0-150000.3.5.1
- (no CPE)range: < 2.3.0-150000.3.5.1
- (no CPE)range: < 2.3.0-150000.3.5.1
- (no CPE)range: < 2.1.0-4.15.1
- (no CPE)range: < 2.1.0-4.15.1
- (no CPE)range: < 2.1.0-4.15.1
- (no CPE)range: < 2.1.0-4.15.1
- (no CPE)range: < 1.5.2-150000.4.5.1
- (no CPE)range: < 1.5.2-150000.4.5.1
- (no CPE)range: < 1.5.2-150000.4.5.1
- (no CPE)range: < 1.5.2-150000.4.5.1
- (no CPE)range: < 1.5.2-150000.4.5.1
- (no CPE)range: < 1.5.2-150000.4.5.1
- (no CPE)range: < 1.5.2-150000.4.5.1
- (no CPE)range: < 1.5.2-150000.4.5.1
- (no CPE)range: < 1.5.2-150000.4.5.1
- (no CPE)range: < 1.5.2-150000.4.5.1
- (no CPE)range: < 1.5.2-150000.4.5.1
- (no CPE)range: < 1.5.2-150000.4.5.1
- (no CPE)range: < 1.5.2-150000.4.5.1
- (no CPE)range: < 1.5.2-150000.4.5.1
- (no CPE)range: < 1.5.2-150000.4.5.1
- (no CPE)range: < 1.5.2-150000.4.5.1
- (no CPE)range: < 1.5.2-150000.4.5.1
- (no CPE)range: < 1.5.2-150000.4.5.1
- (no CPE)range: < 1.5.2-150000.4.5.1
- (no CPE)range: < 1.5.2-150000.4.5.1
- (no CPE)range: < 1.5.2-150000.4.5.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing bounds check in the `qmfbid==1` case of `opj_t1_clbl_decode_processor` in `openjp2/t1.c` allows writing past the end of a heap-allocated buffer."
Attack vector
An attacker provides a crafted JPEG2000 image file that, when decoded by `opj_decompress` or any application using the OpenJPEG library, triggers a heap-based buffer overflow in `opj_t1_clbl_decode_processor` [ref_id=2]. The overflow is a WRITE of size 16 at a heap buffer boundary, occurring specifically in the `qmfbid==1` code path [ref_id=2]. The attacker does not need authentication; the only precondition is that the victim opens the malicious image with a vulnerable version of OpenJPEG (2.3.1 through 2020-01-28).
Affected code
The vulnerability resides in the function `opj_t1_clbl_decode_processor` in `openjp2/t1.c` at line 1765 [ref_id=2]. The crash occurs in the `qmfbid==1` case, as noted in the CVE description. The Red Hat advisories confirm the affected file is `openjp2/t1.c` [ref_id=1][ref_id=3].
What the fix does
The bundle does not include a patch diff. The Red Hat advisories [ref_id=1][ref_id=3] indicate that the fix is delivered via updated packages (openjpeg2-2.3.1-3.el7_7 for RHEL 7 and openjpeg2-2.3.0-10.el8_0 for RHEL 8), but the specific code changes are not shown. The researcher's issue report [ref_id=2] notes the overflow is similar to issue #1228 and was still present on master commit b63a433, but does not describe the fix. Without the patch, the exact remediation logic cannot be detailed.
Preconditions
- inputVictim must open a crafted JPEG2000 file using a vulnerable version of OpenJPEG (2.3.1 through 2020-01-28).
- authNo authentication or special privileges required; the attack is triggered by normal file decoding.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
11- access.redhat.com/errata/RHSA-2020:0550mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2020:0569mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2020:0570mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2020:0694mitrevendor-advisoryx_refsource_REDHAT
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EFM77GIFWHOECNIERYJQPI2ZJU57GZD5/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TFEVEKETJV7GOXD5RDWL35ESEDHC663E/mitrevendor-advisoryx_refsource_FEDORA
- www.debian.org/security/2021/dsa-4882mitrevendor-advisoryx_refsource_DEBIAN
- github.com/uclouvain/openjpeg/issues/1231mitrex_refsource_MISC
- lists.debian.org/debian-lts-announce/2020/01/msg00035.htmlmitremailing-listx_refsource_MLIST
- lists.debian.org/debian-lts-announce/2020/07/msg00008.htmlmitremailing-listx_refsource_MLIST
- www.oracle.com/security-alerts/cpujul2020.htmlmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.