CVE-2025-54874: 
Linux Debian vulnerability analysis and mitigation

OpenJPEG, an open-source JPEG 2000 codec, contains a vulnerability (CVE-2025-54874) discovered in version 2.5.3 and earlier versions. The vulnerability was disclosed on August 5, 2025, and involves a potential out-of-bounds heap memory write condition that occurs when calling opjjp2readheader with a too short data stream and an uninitialized pimage (NVD).

The vulnerability stems from a failure to check the return value of opjj2kreadheader() before processing its output arguments in opjjp2readheader(). When opjj2kreadheaderprocedure() fails while obtaining marker segment data due to a short data stream, opjj2kreadheader() cannot initialize pimage, leaving it uninitialized. The vulnerability has been assigned a CVSS v4.0 score of 6.6 (Medium) with vector string CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P (NVD, GitHub PR).

The vulnerability can lead to an out-of-bounds heap memory write when processing specially crafted JPEG 2000 images. The exploitability depends on the specific usage of the OpenJPEG library, and the uninitialized variable could potentially contain arbitrary memory addresses. This could result in memory corruption and potentially lead to arbitrary code execution (GitHub Advisory).

A fix has been implemented in commit f809b80c67717c152a5ad30bf06774f00da4fd2d, which adds a check for the return value of opjj2kreadheader() before using the output argument pimage. Users should upgrade to a version containing this fix (GitHub Commit).