MGASA-2026-0214 Updated lcms2 packages fix security vulnerability

Little CMS lcms2 through 2.18 has an integer overflow in CubeSize in cmslut.c because the overflow check is performed after the multiplication. CVE-2026-41254...

Amazon Linux 2023 : lcms2, lcms2-devel, lcms2-utils (ALAS2023-2026-1474)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1474 advisory. A heap buffer overflow vulnerability has been identified in thesmooth2 in cmsgamma.c in lcms2-2.16 which allows a remote attacker to cause a denial of service. NOTE: the Supplier disputes this because...

Amazon Linux 2023 : jxl-pixbuf-loader, libjxl, libjxl-devel (ALAS2023-2026-1459)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1459 advisory. A specially-crafted file can cause libjxl's decoder to read pixel data from uninitialized but allocated memory. This can be done by causing the decoder to reference an outside-image-bound area...

SUSE CVE-2026-1837

A specially-crafted file can cause libjxl's decoder to write pixel data to uninitialized unallocated memory. Soon after that data from another uninitialized unallocated region is copied to pixel data. This can be done by requesting color transformation of grayscale images to another grayscale col...

Out-of-bounds Write

Overview Affected versions of this package are vulnerable to Out-of-bounds Write via the IsNeeded function when using LCMS2. An attacker can achieve arbitrary code execution or cause a denial of service by tricking a user into processing a specially crafted image file. Remediation Upgrade libjxl ...

CVE-2026-1837

The connected records confirm CVE-2026-1837 affects libjxl’s decoder when LCMS2 is used as the CMS. A specially-crafted file can trigger an out-of-bounds write by transforming grayscale images to another grayscale color space, where buffers allocated for 1-float-per-pixel are treated as 3-float-p...

CVE-2026-1837

A specially-crafted file can cause libjxl's decoder to write pixel data to uninitialized unallocated memory. Soon after that data from another uninitialized unallocated region is copied to pixel data. This can be done by requesting color transformation of grayscale images to another grayscale col...

AZL-59467 CVE-2025-29070 affecting package openjpeg2 2.3.1-12

A heap buffer overflow vulnerability has been identified in thesmooth2 in cmsgamma.c in lcms2-2.16 which allows a remote attacker to cause a denial of service. NOTE: the Supplier disputes this because "this is not exploitable as this function is never called on normal color management, is there...

UBUNTU-CVE-2025-29069

A heap buffer overflow vulnerability has been identified in the lcms2-2.16. The vulnerability exists in the UnrollChunkyBytes function in cmspack.c, which is responsible for handling color space transformations...

PT-2025-14384 · Lcms2 +1 · Lcms2 +1

Name of the Vulnerable Software and Affected Versions: lcms2 version 2.16 Description: A heap buffer overflow issue has been identified in the thesmooth2 function in cmsgamma.c that allows a remote attacker to cause a denial of service. This issue affects the lcms2 library, potentially allowing f...