Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close


Published: 3 September 2018

An issue was discovered in OpenJPEG 2.3.0. A heap-based buffer overflow was discovered in the function t2_encode_packet in lib/openmj2/t2.c. The vulnerability causes an out-of-bounds write, which may lead to remote denial of service or possibly unspecified other impact.


Ubuntu packages are built with BUILD_MJ2:BOOL=OFF, so the
affected code isn't compiled
according to the comments available in issue 1328 of openjpeg
(, this issue
will not be fixed by upstream, as the vulnerable components
were simply removed from the code in pull request #1350. For
this reason, xenial and trusty cannot be patched for this issue
in package openjpeg.



Cvss 3 Severity Score


Score breakdown


Package Release Status
Launchpad, Ubuntu, Debian
artful Does not exist

bionic Does not exist

cosmic Does not exist

disco Does not exist

focal Does not exist

trusty Ignored
(see notes)
upstream Needed

xenial Ignored
(end of standard support)
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(code not built)
cosmic Ignored
(end of life)
disco Ignored
(end of life)
eoan Ignored
(end of life)
focal Not vulnerable
(code not built)
trusty Does not exist

upstream Needed

xenial Not vulnerable
(code not built)

Severity score breakdown

Parameter Value
Base score 8.8
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Scope Unchanged
Confidentiality High
Integrity impact High
Availability impact High
Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H