CVE-2021-3575
📋 TL;DR
This vulnerability allows remote code execution via a heap-based buffer overflow in openjpeg when processing malicious JPEG 2000 (.j2k) files. Attackers can exploit this to execute arbitrary code with the permissions of the application using openjpeg. Any system or application that uses vulnerable versions of openjpeg to process JPEG 2000 images is affected.
💻 Affected Systems
- openjpeg
- libopenjp2
- applications using openjpeg library
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Openjpeg by Uclouvain
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining the same privileges as the vulnerable application, potentially leading to data theft, ransomware deployment, or persistent backdoor installation.
Likely Case
Application crash (denial of service) or limited code execution within the application's context, potentially allowing lateral movement in enterprise environments.
If Mitigated
Application crash with no code execution if proper memory protections (ASLR, DEP) are enabled and effective.
🎯 Exploit Status
Exploitation requires crafting a malicious .j2k file and getting it processed by vulnerable software. Public proof-of-concept exists in GitHub issues.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: openjpeg 2.4.0 and later
Vendor Advisory: https://github.com/uclouvain/openjpeg/issues/1347
Restart Required: Yes
Instructions:
1. Update openjpeg to version 2.4.0 or later using your package manager. 2. For Linux: 'sudo apt update && sudo apt upgrade libopenjp2-7' (Debian/Ubuntu) or 'sudo yum update openjpeg2' (RHEL/CentOS). 3. Recompile any applications using openjpeg with the updated library. 4. Restart affected services or applications.
🔧 Temporary Workarounds
Disable JPEG 2000 processing
allConfigure applications to reject or not process .j2k/.jp2 files
Use application sandboxing
linuxRun vulnerable applications in containers or with reduced privileges
docker run --security-opt no-new-privileges -v /path:/path image_name
🧯 If You Can't Patch
- Implement strict file upload filtering to block .j2k/.jp2 files at network perimeter
- Deploy application control to prevent execution of vulnerable openjpeg binaries
🔍 How to Verify
Check if Vulnerable:
Check openjpeg version: 'opj_decompress -v' or 'dpkg -l | grep openjpeg' or 'rpm -qa | grep openjpeg'. If version is below 2.4.0, system is vulnerable.Check Version:
opj_decompress -v 2>&1 | head -1Verify Fix Applied:
Confirm openjpeg version is 2.4.0 or later using version check commands. Test with known malicious .j2k file in controlled environment.📡 Detection & Monitoring
Log Indicators:
- Application crashes with segmentation faults when processing image files
- Unexpected child process spawning from image processing applications
Network Indicators:
- Unusual outbound connections from image processing services
- Upload of .j2k/.jp2 files to web applications
SIEM Query:
source="application.logs" AND ("segmentation fault" OR "SIGSEGV") AND process="*openjpeg*" OR file_extension=".j2k" OR file_extension=".jp2"🔗 References
- https://bugzilla.redhat.com/show_bug.cgi?id=1957616
- https://github.com/uclouvain/openjpeg/issues/1347
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EZ54FGM2IGAP4AWSJ22JKHOPHCR3FGYU/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QB6AI7CWXWMEDZIQY4LQ6DMIEXMDOHUP/
- https://ubuntu.com/security/CVE-2021-3575
- https://bugzilla.redhat.com/show_bug.cgi?id=1957616
- https://github.com/uclouvain/openjpeg/issues/1347
- https://lists.debian.org/debian-lts-announce/2025/04/msg00002.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EZ54FGM2IGAP4AWSJ22JKHOPHCR3FGYU/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QB6AI7CWXWMEDZIQY4LQ6DMIEXMDOHUP/
- https://ubuntu.com/security/CVE-2021-3575
