NVIDIA nvJPEG2000 Heap-Based Buffer Overflow Vulnerability Allowing Arbitrary Code Execution
Vulnerability
A heap-based buffer overflow vulnerability has been identified in the NVIDIA nvJPEG2000 library version 0.8.0. This vulnerability arises in the Ndecomp field handling, where a specially crafted JPEG2000 file can overwrite adjacent heap memory. Such an exploit could lead to memory corruption and arbitrary code execution.
Impact
Exploitation of this vulnerability causes a heap-based buffer overflow, allowing for memory corruption and arbitrary code execution.
Reproduction
The vulnerability can be reproduced by using a specially crafted JPEG2000 file that exploits the Ndecomp parameter parsing in the nvJPEG2000 library. This can be done by creating a JPEG2000 file that manipulates the Csiz and Ccoc fields to trigger the buffer overflow when the file is processed by the nvJPEG2000 library.
Remediation
Users are advised to upgrade to NVIDIA nvJPEG2000 version 0.8.1, available on the NVIDIA Developer nvJPEG2000 Downloads page.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.