CVE-2021-3575

Vulnerability

A heap-based buffer overflow exists in OpenJPEG's color.c at line 379:42 in the sycc420_to_rgb function. The vulnerability occurs when decompressing a specially crafted .j2k file. Insufficient validation of the cb pointer leads to an out-of-bounds read. Affected versions include the latest release v2.4.0 and the current master branch (commit 0bda718) [1][2][3].

Exploitation

An attacker can exploit this vulnerability by providing a malicious .j2k file to an application that uses OpenJPEG for decompression. No authentication or special network position is required; the attack vector is local or remote if the application accepts user-supplied files. The user must trigger decompression of the crafted file (e.g., by opening it in an image viewer or using opj_decompress). The crash analysis shows a heap-buffer-overflow read of size 4 at color.c:379:42 [3].

Impact

Successful exploitation can lead to arbitrary code execution with the privileges of the application linked against OpenJPEG. The overflow is a read of 4 bytes beyond the allocated heap buffer, which can be leveraged by an attacker to corrupt memory and achieve code execution. The impact includes potential denial of service or full compromise of the affected system [1][2].

Mitigation

As of the latest available references (May 2023), no official patch has been committed to the OpenJPEG repository. A proposed fix exists in pull request #1362, but it has not been merged [1]. Users are advised to monitor the OpenJPEG project for updates and apply any future patches. No workaround is documented. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.