Vulnerability DatabaseCVE-2026-1837

CVE-2026-1837:
Linux Debian vulnerability analysis and mitigation

A specially-crafted file can cause libjxl's decoder to write pixel data to uninitialized unallocated memory. Soon after that data from another uninitialized unallocated region is copied to pixel data.

This can be done by requesting color transformation of grayscale images to another grayscale color space. Buffers allocated for 1-float-per-pixel are used as if they are allocated for 3-float-per-pixel. That happens only if LCMS2 is used as CMS engine. There is another CMS engine available (selected by build flags).

Source: NVD

View vulnerable instances

Not a customer? See how Wiz maps CVEs like this one to real cloud attack paths.

Watch 12-min demo

8.7

Score

Published February 11, 2026

Severity HIGH

CNA Score 8.7

Affected Technologies

Linux Debian
Linux Red Hat

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 7.3

Exploitation Probability (EPSS) N/A

Affected packages and libraries

libjxl-utils-debuginfo
libjxl0_11-x86-64-v3

Sources

NVD
Debian Security Tracker
- Debian 12, 13 No FixAdded at: Feb 12, 2026
- Debian 14 Has FixAdded at: Feb 12, 2026
Echo
- Echo No FixAdded at: Feb 12, 2026
Red Hat Errata
- Red Hat 7, 8, 9, 10 Severity HIGHNo FixAdded at: Feb 12, 2026

Get a CVE risk assessment

Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.

Request assessment

Related Linux Debian vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2026-33986	HIGH	7.5	Wolfi	freerdp2	No	Yes	Mar 30, 2026
CVE-2026-33987	HIGH	7.1	Wolfi	freerdp2	No	Yes	Mar 30, 2026
CVE-2026-33995	MEDIUM	5.3	Wolfi	libwinpr	No	Yes	Mar 30, 2026
CVE-2026-34881	MEDIUM	5	Linux Debian	glance	No	Yes	Mar 31, 2026
CVE-2026-33691	N/A	N/A	Linux Debian	modsecurity-crs	No	No	Mar 31, 2026