CVE-2025-50952: 
NixOS vulnerability analysis and mitigation

A NULL pointer dereference vulnerability was discovered in OpenJPEG version 2.5.0, specifically in the component /openjp2/dwt.c. The vulnerability was identified and disclosed on August 7, 2025, and affects the OpenJPEG library, which is widely used in various applications for JPEG 2000 image handling (NVD, Ubuntu).

The vulnerability is classified as a NULL Pointer Dereference (CWE-476) issue. According to the CVSS 3.1 scoring system, it has received a base score of 6.5 (Medium severity) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N. This indicates that the vulnerability can be exploited remotely, requires low attack complexity, and needs no privileges or user interaction (NVD).

The vulnerability affects the confidentiality and integrity of the system with low impact, while having no direct impact on availability. The issue is particularly concerning as it affects OpenJPEG version 2.5.0, which is integrated into various downstream applications and Linux distributions (Ubuntu, Debian).

A fix has been implemented in OpenJPEG version 2.5.3, as confirmed by the Debian security tracker. Users are advised to upgrade to the fixed version where available. For systems where immediate upgrade is not possible, careful validation of input files is recommended (Debian).