CVE-2024-56827: 
Linux Debian vulnerability analysis and mitigation

A heap buffer overflow vulnerability (CVE-2024-56827) was discovered in the OpenJPEG project. The vulnerability affects the opj_decompress utility when certain options are specified. This security flaw was disclosed on January 8, 2025, and affects the OpenJPEG library up to version 2.5.2 (NVD, Ubuntu Security).

The vulnerability is classified as a heap-based buffer overflow (CWE-122) that occurs in the opjj2kaddtlmarker function within lib/openjp2/j2k.c. The issue is triggered specifically when using the opjdecompress utility with the -t option and its argument set to 1. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.6 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:H (NVD, GitHub Issue).

When exploited, this vulnerability can lead to an application crash or other undefined behavior. The heap buffer overflow condition could potentially allow for information disclosure and high availability impact, though no code execution has been confirmed (NVD).

A fix has been released through a patch that validates the current tile-part number against the total number of tile-parts. The fix is available in the OpenJPEG repository through commit e492644. Multiple Linux distributions have released security updates to address this vulnerability, including Ubuntu and Debian (GitHub Commit, Debian Security).