{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"important"},"category":"csaf_vex","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"SUSE CVE-2026-1837","title":"Title"},{"category":"description","text":"A specially-crafted file can cause libjxl's decoder to write pixel data to uninitialized unallocated memory. Soon after that data from another uninitialized unallocated region is copied to pixel data.\n\nThis can be done by requesting color transformation of grayscale images to another grayscale color space. Buffers allocated for 1-float-per-pixel are used as if they are allocated for 3-float-per-pixel. That happens only if LCMS2 is used as CMS engine. There is another CMS engine available (selected by build flags).","title":"Description of the CVE"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"CVE-2026-1837","url":"https://www.suse.com/security/cve/CVE-2026-1837"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1258091 for CVE-2026-1837","url":"https://bugzilla.suse.com/1258091"},{"category":"external","summary":"Advisory link for SUSE-SU-2026:0648-1","url":"https://lists.suse.com/pipermail/sle-security-updates/2026-February/024399.html"}],"title":"SUSE CVE CVE-2026-1837","tracking":{"current_release_date":"2026-03-13T13:26:41Z","generator":{"date":"2026-02-12T00:27:29Z","engine":{"name":"cve-database.git:bin/generate-csaf-vex.pl","version":"1"}},"id":"CVE-2026-1837","initial_release_date":"2026-02-12T00:27:29Z","revision_history":[{"date":"2026-02-12T00:27:29Z","number":"2","summary":"vulnerabilities added,references added,severity changed from  to important"},{"date":"2026-02-26T00:28:54Z","number":"3","summary":"scores added,updates released"},{"date":"2026-02-27T00:30:07Z","number":"4","summary":"references added"},{"date":"2026-03-01T00:25:50Z","number":"5","summary":"more updates released"},{"date":"2026-03-11T16:20:17Z","number":"6","summary":"unknown changes"},{"date":"2026-03-13T13:26:41Z","number":"7","summary":"more updates marked as affected"}],"status":"interim","version":"7"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_name","name":"SUSE Linux Enterprise Module for Package Hub 15 SP7","product":{"name":"SUSE Linux Enterprise Module for Package Hub 15 SP7","product_id":"SUSE Linux Enterprise Module for Package Hub 15 SP7","product_identification_helper":{"cpe":"cpe:/o:suse:packagehub:15:sp7"}}},{"category":"product_name","name":"SUSE Linux Enterprise Server 16.0","product":{"name":"SUSE Linux Enterprise Server 16.0","product_id":"SUSE Linux Enterprise Server 16.0","product_identification_helper":{"cpe":"cpe:/o:suse:sles:16:16.0:server"}}},{"category":"product_name","name":"SUSE Linux Enterprise Server for SAP applications 16.0","product":{"name":"SUSE Linux Enterprise Server for SAP applications 16.0","product_id":"SUSE Linux Enterprise Server for SAP applications 16.0","product_identification_helper":{"cpe":"cpe:/o:suse:sles:16:16.0:server-sap"}}},{"category":"product_name","name":"openSUSE Tumbleweed","product":{"name":"openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed","product_identification_helper":{"cpe":"cpe:/o:opensuse:tumbleweed"}}},{"category":"product_version","name":"libjxl","product":{"name":"libjxl","product_id":"libjxl","product_identification_helper":{"purl":"pkg:rpm/suse/libjxl@"}}},{"category":"product_version","name":"libjxl-devel","product":{"name":"libjxl-devel","product_id":"libjxl-devel","product_identification_helper":{"purl":"pkg:rpm/suse/libjxl-devel@?upstream=libjxl.src.rpm"}}},{"category":"product_version","name":"libjxl-devel-0.10.3-150700.4.6.1","product":{"name":"libjxl-devel-0.10.3-150700.4.6.1","product_id":"libjxl-devel-0.10.3-150700.4.6.1","product_identification_helper":{"purl":"pkg:rpm/suse/libjxl-devel@0.10.3-150700.4.6.1?upstream=libjxl-0.10.3-150700.4.6.1.src.rpm"}}},{"category":"product_version","name":"libjxl-devel-0.11.2-1.1","product":{"name":"libjxl-devel-0.11.2-1.1","product_id":"libjxl-devel-0.11.2-1.1","product_identification_helper":{"purl":"pkg:rpm/suse/libjxl-devel@0.11.2-1.1?upstream=libjxl-0.11.2-1.1.src.rpm"}}},{"category":"product_version","name":"libjxl-tools-0.10.3-150700.4.6.1","product":{"name":"libjxl-tools-0.10.3-150700.4.6.1","product_id":"libjxl-tools-0.10.3-150700.4.6.1","product_identification_helper":{"purl":"pkg:rpm/suse/libjxl-tools@0.10.3-150700.4.6.1?upstream=libjxl-0.10.3-150700.4.6.1.src.rpm"}}},{"category":"product_version","name":"libjxl-tools-0.11.2-1.1","product":{"name":"libjxl-tools-0.11.2-1.1","product_id":"libjxl-tools-0.11.2-1.1","product_identification_helper":{"purl":"pkg:rpm/suse/libjxl-tools@0.11.2-1.1?upstream=libjxl-0.11.2-1.1.src.rpm"}}},{"category":"product_version","name":"libjxl0_10-0.10.3-150700.4.6.1","product":{"name":"libjxl0_10-0.10.3-150700.4.6.1","product_id":"libjxl0_10-0.10.3-150700.4.6.1","product_identification_helper":{"purl":"pkg:rpm/suse/libjxl0_10@0.10.3-150700.4.6.1?upstream=libjxl-0.10.3-150700.4.6.1.src.rpm"}}},{"category":"product_version","name":"libjxl0_10-32bit-0.10.3-150700.4.6.1","product":{"name":"libjxl0_10-32bit-0.10.3-150700.4.6.1","product_id":"libjxl0_10-32bit-0.10.3-150700.4.6.1","product_identification_helper":{"purl":"pkg:rpm/suse/libjxl0_10-32bit@0.10.3-150700.4.6.1?upstream=libjxl-0.10.3-150700.4.6.1.src.rpm"}}},{"category":"product_version","name":"libjxl0_11","product":{"name":"libjxl0_11","product_id":"libjxl0_11","product_identification_helper":{"purl":"pkg:rpm/suse/libjxl0_11@?upstream=libjxl.src.rpm"}}},{"category":"product_version","name":"libjxl0_11-0.11.2-1.1","product":{"name":"libjxl0_11-0.11.2-1.1","product_id":"libjxl0_11-0.11.2-1.1","product_identification_helper":{"purl":"pkg:rpm/suse/libjxl0_11@0.11.2-1.1?upstream=libjxl-0.11.2-1.1.src.rpm"}}},{"category":"product_version","name":"libjxl0_11-32bit-0.11.2-1.1","product":{"name":"libjxl0_11-32bit-0.11.2-1.1","product_id":"libjxl0_11-32bit-0.11.2-1.1","product_identification_helper":{"purl":"pkg:rpm/suse/libjxl0_11-32bit@0.11.2-1.1"}}},{"category":"product_version","name":"libjxl0_11-x86-64-v3","product":{"name":"libjxl0_11-x86-64-v3","product_id":"libjxl0_11-x86-64-v3","product_identification_helper":{"purl":"pkg:rpm/suse/libjxl0_11-x86-64-v3@?upstream=libjxl.src.rpm"}}},{"category":"product_version","name":"libjxl0_11-x86-64-v3-0.11.2-1.1","product":{"name":"libjxl0_11-x86-64-v3-0.11.2-1.1","product_id":"libjxl0_11-x86-64-v3-0.11.2-1.1","product_identification_helper":{"purl":"pkg:rpm/suse/libjxl0_11-x86-64-v3@0.11.2-1.1?upstream=libjxl-0.11.2-1.1.src.rpm"}}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"libjxl-devel-0.10.3-150700.4.6.1 as component of SUSE Linux Enterprise Module for Package Hub 15 SP7","product_id":"SUSE Linux Enterprise Module for Package Hub 15 SP7:libjxl-devel-0.10.3-150700.4.6.1"},"product_reference":"libjxl-devel-0.10.3-150700.4.6.1","relates_to_product_reference":"SUSE Linux Enterprise Module for Package Hub 15 SP7"},{"category":"default_component_of","full_product_name":{"name":"libjxl-tools-0.10.3-150700.4.6.1 as component of SUSE Linux Enterprise Module for Package Hub 15 SP7","product_id":"SUSE Linux Enterprise Module for Package Hub 15 SP7:libjxl-tools-0.10.3-150700.4.6.1"},"product_reference":"libjxl-tools-0.10.3-150700.4.6.1","relates_to_product_reference":"SUSE Linux Enterprise Module for Package Hub 15 SP7"},{"category":"default_component_of","full_product_name":{"name":"libjxl0_10-0.10.3-150700.4.6.1 as component of SUSE Linux Enterprise Module for Package Hub 15 SP7","product_id":"SUSE Linux Enterprise Module for Package Hub 15 SP7:libjxl0_10-0.10.3-150700.4.6.1"},"product_reference":"libjxl0_10-0.10.3-150700.4.6.1","relates_to_product_reference":"SUSE Linux Enterprise Module for Package Hub 15 SP7"},{"category":"default_component_of","full_product_name":{"name":"libjxl0_10-32bit-0.10.3-150700.4.6.1 as component of SUSE Linux Enterprise Module for Package Hub 15 SP7","product_id":"SUSE Linux Enterprise Module for Package Hub 15 SP7:libjxl0_10-32bit-0.10.3-150700.4.6.1"},"product_reference":"libjxl0_10-32bit-0.10.3-150700.4.6.1","relates_to_product_reference":"SUSE Linux Enterprise Module for Package Hub 15 SP7"},{"category":"default_component_of","full_product_name":{"name":"libjxl-devel-0.11.2-1.1 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:libjxl-devel-0.11.2-1.1"},"product_reference":"libjxl-devel-0.11.2-1.1","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"libjxl-tools-0.11.2-1.1 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:libjxl-tools-0.11.2-1.1"},"product_reference":"libjxl-tools-0.11.2-1.1","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"libjxl0_11-0.11.2-1.1 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:libjxl0_11-0.11.2-1.1"},"product_reference":"libjxl0_11-0.11.2-1.1","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"libjxl0_11-32bit-0.11.2-1.1 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:libjxl0_11-32bit-0.11.2-1.1"},"product_reference":"libjxl0_11-32bit-0.11.2-1.1","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"libjxl0_11-x86-64-v3-0.11.2-1.1 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:libjxl0_11-x86-64-v3-0.11.2-1.1"},"product_reference":"libjxl0_11-x86-64-v3-0.11.2-1.1","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"libjxl-devel as component of SUSE Linux Enterprise Server 16.0","product_id":"SUSE Linux Enterprise Server 16.0:libjxl-devel"},"product_reference":"libjxl-devel","relates_to_product_reference":"SUSE Linux Enterprise Server 16.0"},{"category":"default_component_of","full_product_name":{"name":"libjxl0_11 as component of SUSE Linux Enterprise Server 16.0","product_id":"SUSE Linux Enterprise Server 16.0:libjxl0_11"},"product_reference":"libjxl0_11","relates_to_product_reference":"SUSE Linux Enterprise Server 16.0"},{"category":"default_component_of","full_product_name":{"name":"libjxl0_11-x86-64-v3 as component of SUSE Linux Enterprise Server 16.0","product_id":"SUSE Linux Enterprise Server 16.0:libjxl0_11-x86-64-v3"},"product_reference":"libjxl0_11-x86-64-v3","relates_to_product_reference":"SUSE Linux Enterprise Server 16.0"},{"category":"default_component_of","full_product_name":{"name":"libjxl as component of SUSE Linux Enterprise Server 16.0","product_id":"SUSE Linux Enterprise Server 16.0:libjxl"},"product_reference":"libjxl","relates_to_product_reference":"SUSE Linux Enterprise Server 16.0"},{"category":"default_component_of","full_product_name":{"name":"libjxl-devel as component of SUSE Linux Enterprise Server for SAP applications 16.0","product_id":"SUSE Linux Enterprise Server for SAP applications 16.0:libjxl-devel"},"product_reference":"libjxl-devel","relates_to_product_reference":"SUSE Linux Enterprise Server for SAP applications 16.0"},{"category":"default_component_of","full_product_name":{"name":"libjxl0_11 as component of SUSE Linux Enterprise Server for SAP applications 16.0","product_id":"SUSE Linux Enterprise Server for SAP applications 16.0:libjxl0_11"},"product_reference":"libjxl0_11","relates_to_product_reference":"SUSE Linux Enterprise Server for SAP applications 16.0"},{"category":"default_component_of","full_product_name":{"name":"libjxl0_11-x86-64-v3 as component of SUSE Linux Enterprise Server for SAP applications 16.0","product_id":"SUSE Linux Enterprise Server for SAP applications 16.0:libjxl0_11-x86-64-v3"},"product_reference":"libjxl0_11-x86-64-v3","relates_to_product_reference":"SUSE Linux Enterprise Server for SAP applications 16.0"},{"category":"default_component_of","full_product_name":{"name":"libjxl as component of SUSE Linux Enterprise Server for SAP applications 16.0","product_id":"SUSE Linux Enterprise Server for SAP applications 16.0:libjxl"},"product_reference":"libjxl","relates_to_product_reference":"SUSE Linux Enterprise Server for SAP applications 16.0"}]},"vulnerabilities":[{"cve":"CVE-2026-1837","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2026-1837"}],"notes":[{"category":"general","text":"A specially-crafted file can cause libjxl's decoder to write pixel data to uninitialized unallocated memory. Soon after that data from another uninitialized unallocated region is copied to pixel data.\n\nThis can be done by requesting color transformation of grayscale images to another grayscale color space. Buffers allocated for 1-float-per-pixel are used as if they are allocated for 3-float-per-pixel. That happens only if LCMS2 is used as CMS engine. There is another CMS engine available (selected by build flags).","title":"CVE description"}],"product_status":{"known_affected":["SUSE Linux Enterprise Server 16.0:libjxl","SUSE Linux Enterprise Server 16.0:libjxl-devel","SUSE Linux Enterprise Server 16.0:libjxl0_11","SUSE Linux Enterprise Server 16.0:libjxl0_11-x86-64-v3","SUSE Linux Enterprise Server for SAP applications 16.0:libjxl","SUSE Linux Enterprise Server for SAP applications 16.0:libjxl-devel","SUSE Linux Enterprise Server for SAP applications 16.0:libjxl0_11","SUSE Linux Enterprise Server for SAP applications 16.0:libjxl0_11-x86-64-v3"],"recommended":["SUSE Linux Enterprise Module for Package Hub 15 SP7:libjxl-devel-0.10.3-150700.4.6.1","SUSE Linux Enterprise Module for Package Hub 15 SP7:libjxl-tools-0.10.3-150700.4.6.1","SUSE Linux Enterprise Module for Package Hub 15 SP7:libjxl0_10-0.10.3-150700.4.6.1","SUSE Linux Enterprise Module for Package Hub 15 SP7:libjxl0_10-32bit-0.10.3-150700.4.6.1","openSUSE Tumbleweed:libjxl-devel-0.11.2-1.1","openSUSE Tumbleweed:libjxl-tools-0.11.2-1.1","openSUSE Tumbleweed:libjxl0_11-0.11.2-1.1","openSUSE Tumbleweed:libjxl0_11-32bit-0.11.2-1.1","openSUSE Tumbleweed:libjxl0_11-x86-64-v3-0.11.2-1.1"]},"references":[{"category":"external","summary":"CVE-2026-1837","url":"https://www.suse.com/security/cve/CVE-2026-1837"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1258091 for CVE-2026-1837","url":"https://bugzilla.suse.com/1258091"},{"category":"external","summary":"Advisory link for SUSE-SU-2026:0648-1","url":"https://lists.suse.com/pipermail/sle-security-updates/2026-February/024399.html"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["SUSE Linux Enterprise Module for Package Hub 15 SP7:libjxl-devel-0.10.3-150700.4.6.1","SUSE Linux Enterprise Module for Package Hub 15 SP7:libjxl-tools-0.10.3-150700.4.6.1","SUSE Linux Enterprise Module for Package Hub 15 SP7:libjxl0_10-0.10.3-150700.4.6.1","SUSE Linux Enterprise Module for Package Hub 15 SP7:libjxl0_10-32bit-0.10.3-150700.4.6.1","openSUSE Tumbleweed:libjxl-devel-0.11.2-1.1","openSUSE Tumbleweed:libjxl-tools-0.11.2-1.1","openSUSE Tumbleweed:libjxl0_11-0.11.2-1.1","openSUSE Tumbleweed:libjxl0_11-32bit-0.11.2-1.1","openSUSE Tumbleweed:libjxl0_11-x86-64-v3-0.11.2-1.1"]}],"scores":[{"cvss_v3":{"baseScore":8.1,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["SUSE Linux Enterprise Module for Package Hub 15 SP7:libjxl-devel-0.10.3-150700.4.6.1","SUSE Linux Enterprise Module for Package Hub 15 SP7:libjxl-tools-0.10.3-150700.4.6.1","SUSE Linux Enterprise Module for Package Hub 15 SP7:libjxl0_10-0.10.3-150700.4.6.1","SUSE Linux Enterprise Module for Package Hub 15 SP7:libjxl0_10-32bit-0.10.3-150700.4.6.1","openSUSE Tumbleweed:libjxl-devel-0.11.2-1.1","openSUSE Tumbleweed:libjxl-tools-0.11.2-1.1","openSUSE Tumbleweed:libjxl0_11-0.11.2-1.1","openSUSE Tumbleweed:libjxl0_11-32bit-0.11.2-1.1","openSUSE Tumbleweed:libjxl0_11-x86-64-v3-0.11.2-1.1"]}],"threats":[{"category":"impact","date":"2026-02-11T17:03:12Z","details":"important"}],"title":"CVE-2026-1837"}]}