CVE-2025-54874

CWE-4578 documents7 sources
Severity
6.6MEDIUM
EPSS
0.1%
top 77.95%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Uclouvain Openjpeg
Timeline
PublishedAug 5
Latest updateJan 15

Description

OpenJPEG is an open-source JPEG 2000 codec. In OpenJPEG from 2.5.1 through 2.5.3, a call to opj_jp2_read_header may lead to OOB heap memory write when the data stream p_stream is too short and p_image is not initialized.

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages3 packages

Debianopenjpeg2< 2.5.3-2.1~deb13u1+1
CVEListV5uclouvain/openjpeg>= 2.5.1, <= 2.5.3

Patches

Patch: github.com

🔴Vulnerability Details

3
OSV
openjpeg2 vulnerabilities2025-09-18
CVEList
OpenJPEG allows OOB heap memory write in opj_jp2_read_header2025-08-05
OSV
CVE-2025-54874: OpenJPEG is an open-source JPEG 2000 codec2025-08-05

📋Vendor Advisories

4
Oracle
Oracle Oracle Database Server Risk Matrix: Oracle Spatial and Graph (OpenJPEG) — CVE-2025-548742026-01-15
Ubuntu
OpenJPEG vulnerabilities2025-09-18
Red Hat
openjpeg: OpenJPEG OOB heap memory write2025-08-05
Debian
CVE-2025-54874: openjpeg2 - OpenJPEG is an open-source JPEG 2000 codec. In OpenJPEG from 2.5.1 through 2.5.3...2025
CVE-2025-54874 (MEDIUM CVSS 6.6) | OpenJPEG is an open-source JPEG 200 | cvebase.io