CVE-2026-1837

Name of the Vulnerable Software and Affected Versions libjxl (affected versions not specified)

Description A crafted file can lead to libjxl's decoder writing pixel data to uninitialized and unallocated memory. Subsequently, data from another uninitialized region is copied to pixel data. This occurs when requesting color transformation of grayscale images to another grayscale color space. Specifically, buffers allocated for 1-float-per-pixel are incorrectly used as if they are allocated for 3-float-per-pixel. This behavior is observed only when LCMS2 is utilized as the Color Management System (CMS) engine. An alternative CMS engine is available and selectable during the build process.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.