CVE-2022-1122 — Improper Initialization in Openjpeg Project Openjpeg2

CWE-665 — Improper Initialization CWE-824 — Access of Uninitialized Pointer9 documents8 sources

Severity

5.5MEDIUMNVD

EPSS

0.1%

top 82.25%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

THE Openjpeg Project Openjpeg2 Debian Linux Fedoraproject Fedora +1 more

Timeline

PublishedMar 29

Latest updateNov 5

Description

A flaw was found in the opj2_decompress program in openjpeg2 2.4.0 in the way it handles an input directory with a large number of files. When it fails to allocate a buffer to store the filenames of the input directory, it calls free() on an uninitialized pointer, leading to a segmentation fault and a denial of service.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

▶Debianthe_openjpeg_project/openjpeg2< 2.4.0-3+deb11u1+3

▶CVEListV5the_openjpeg_project/openjpeg2openjpeg2 version 2.4.0 and prior

▶NVDuclouvain/openjpeg2.4.0

Also affects: Debian Linux 9.0, Fedora 34, 35, 36

🔴Vulnerability Details

GHSA

GHSA-4x8v-rchj-qvpf: A flaw was found in the opj2_decompress program in openjpeg2 2↗2022-03-30

▶

OSV

CVE-2022-1122: A flaw was found in the opj2_decompress program in openjpeg2 2↗2022-03-29

▶

CVEList

CVE-2022-1122: A flaw was found in the opj2_decompress program in openjpeg2 2↗2022-03-29

▶

📋Vendor Advisories

Ubuntu

OpenJPEG vulnerabilities↗2024-11-05

▶

Oracle

Oracle Oracle Supply Chain Risk Matrix: Security (OpenJPEG) — CVE-2022-1122↗2023-07-15

▶

Oracle

Oracle Oracle Fusion Middleware Risk Matrix: DC-Specific Component (OpenJPEG) — CVE-2022-1122↗2023-01-15

▶

Debian

CVE-2022-1122: openjpeg2 - A flaw was found in the opj2_decompress program in openjpeg2 2.4.0 in the way it...↗2022

▶

Red Hat

openjpeg: segmentation fault in opj2_decompress due to uninitialized pointer↗2021-07-13

▶