CVE-2026-1837

Publication date 11 February 2026

Last updated 2 April 2026

Ubuntu priority

Description

A specially-crafted file can cause libjxl's decoder to write pixel data to uninitialized unallocated memory. Soon after that data from another uninitialized unallocated region is copied to pixel data. This can be done by requesting color transformation of grayscale images to another grayscale color space. Buffers allocated for 1-float-per-pixel are used as if they are allocated for 3-float-per-pixel. That happens only if LCMS2 is used as CMS engine. There is another CMS engine available (selected by build flags).

Status

Show unmaintained releases

Package	Ubuntu Release	Status
jpeg-xl	25.10 questing	Fixed 0.11.1-6ubuntu1.1
	24.04 LTS noble	Not affected
	22.04 LTS jammy	Not in release

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
jpeg-xl	Upstream: 77f3640

CVE-2026-1837

Description

Status

Patch details

References

Related Ubuntu Security Notices (USN)

Other references

Access our resources on patching vulnerabilities