{"id":"CVE-2025-8836","details":"A vulnerability was determined in JasPer up to 4.2.5. Affected by this issue is the function jpc_floorlog2 of the file src/libjasper/jpc/jpc_enc.c of the component JPEG2000 Encoder. The manipulation leads to reachable assertion. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The patch is identified as 79185d32d7a444abae441935b20ae4676b3513d4. It is recommended to apply a patch to fix this issue.","modified":"2026-04-12T22:06:19.636667Z","published":"2025-08-11T08:15:26.700Z","related":["SUSE-SU-2025:03219-1","SUSE-SU-2025:03367-1","SUSE-SU-2025:3947-1","SUSE-SU-2026:20200-1","openSUSE-SU-2025:15447-1","openSUSE-SU-2026:20138-1"],"references":[{"type":"ADVISORY","url":"https://vuldb.com/?id.319370"},{"type":"REPORT","url":"https://github.com/jasper-software/jasper/issues/401"},{"type":"REPORT","url":"https://vuldb.com/?ctiid.319370"},{"type":"FIX","url":"https://github.com/jasper-software/jasper/commit/79185d32d7a444abae441935b20ae4676b3513d4"},{"type":"EVIDENCE","url":"https://drive.google.com/file/d/1pPgndhHh2z0lk99Wt31W-XIW3XWt8FB3/view?usp=drive_link"},{"type":"EVIDENCE","url":"https://vuldb.com/?submit.622409"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jasper-software/jasper","events":[{"introduced":"0"},{"fixed":"79185d32d7a444abae441935b20ae4676b3513d4"}]},{"type":"GIT","repo":"https://github.com/mdadams/jasper","events":[{"introduced":"0"},{"last_affected":"849888f0a6e76bb440581d5f8c0a947a39e92aa2"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"4.2.5"}]}}],"versions":["manual-version-mdadams-20220109-2039","manual-version-mdadams-20221103-1902","mdadams-clang-issue","version-1.900.1","version-1.900.10","version-1.900.11","version-1.900.12","version-1.900.13","version-1.900.14","version-1.900.15","version-1.900.16","version-1.900.17","version-1.900.18","version-1.900.19","version-1.900.2","version-1.900.20","version-1.900.21","version-1.900.22","version-1.900.23","version-1.900.24","version-1.900.25","version-1.900.26","version-1.900.27","version-1.900.28","version-1.900.29","version-1.900.3","version-1.900.30","version-1.900.31","version-1.900.4","version-1.900.5","version-1.900.6","version-1.900.7","version-1.900.8","version-1.900.9","version-2.0.0","version-2.0.0-beta.1","version-2.0.0-beta.2","version-2.0.1","version-2.0.10","version-2.0.11","version-2.0.12","version-2.0.13","version-2.0.14","version-2.0.15","version-2.0.16","version-2.0.19","version-2.0.2","version-2.0.20","version-2.0.21","version-2.0.21-rc1","version-2.0.22","version-2.0.22-rc1","version-2.0.23","version-2.0.24","version-2.0.25","version-2.0.26","version-2.0.27","version-2.0.28","version-2.0.29","version-2.0.3","version-2.0.31","version-2.0.32","version-2.0.33","version-2.0.4","version-2.0.5","version-2.0.6","version-2.0.7","version-2.0.8","version-2.0.9","version-3.0.0","version-3.0.0-rc1","version-3.0.0-rc2","version-3.0.1","version-3.0.2","version-3.0.3","version-3.0.4","version-3.0.5","version-3.0.6","version-4.0.0","version-4.0.0-rc1","version-4.0.1","version-4.0.1-rc1","version-4.1.0","version-4.1.0-rc1","version-4.1.0-rc2","version-4.1.1","version-4.1.1-rc1","version-4.1.2","version-4.2.0","version-4.2.0-rc1","version-4.2.1","version-4.2.2","version-4.2.3","version-4.2.4","version-4.2.5","version-4.2.6"],"database_specific":{"vanir_signatures_modified":"2026-04-12T22:06:19Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-8836.json","vanir_signatures":[{"deprecated":false,"source":"https://github.com/jasper-software/jasper/commit/79185d32d7a444abae441935b20ae4676b3513d4","target":{"file":"src/libjasper/jpc/jpc_t2dec.c"},"id":"CVE-2025-8836-7bab6148","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["2808549659230441258591704893260531483","152350413999375798091580633165791648738","89357717307011943669892499019798070010","190462739332148733371919017627262449935"]},"signature_type":"Line"},{"deprecated":false,"source":"https://github.com/jasper-software/jasper/commit/79185d32d7a444abae441935b20ae4676b3513d4","target":{"file":"src/libjasper/jpc/jpc_enc.c"},"id":"CVE-2025-8836-e0a04d38","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["237912852561659326688265534140589776533","254823429433087360657677579430210393627","268898736995184040550984507750799762664","205282901754745453981793837589784781698","41444441923975013381984834143321666911","70855659758594358193525234165504697482","327894046701496686997637612650893001729","109174680587702792380036493072285990714","41345054949662030372973143754714765162","180658253739375116473477615792864182852","79315628157822258406844771310324878286","67586316295195733854351168147717538049","333982810349512912551522552036163560004","334422485913351420634949697777867226372","164139617763152545632729210789287158709"]},"signature_type":"Line"},{"deprecated":false,"source":"https://github.com/jasper-software/jasper/commit/79185d32d7a444abae441935b20ae4676b3513d4","target":{"function":"cp_create","file":"src/libjasper/jpc/jpc_enc.c"},"id":"CVE-2025-8836-e243c457","signature_version":"v1","digest":{"length":10255,"function_hash":"170950207524899007564644692247480375351"},"signature_type":"Function"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"}]}