CVE-2025-8836
BaseFortify
Publication date: 2025-08-11
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jasper_project | jasper | to 4.2.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-617 | The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-8836 is an assertion failure vulnerability in the JasPer JPEG2000 Encoder affecting versions up to 4.2.5. It occurs in the function jpc_floorlog2 when it receives an input value of zero, which violates the assertion that the input must be greater than zero. This happens when malformed JPEG2000 images or invalid codec options (such as an empty cblkwidth parameter) are processed, causing the encoder to crash with an assertion failure and abort the program. The vulnerability requires local access to exploit and can cause a denial of service by crashing the encoder. [1, 2, 4]
How can this vulnerability impact me? :
This vulnerability can impact you by causing the JasPer JPEG2000 encoder to crash unexpectedly when processing malformed images or invalid codec options. This leads to a denial of service condition, making the encoder unavailable for legitimate use. Since the crash is triggered locally, an attacker with local access can exploit this to disrupt services relying on the JasPer encoder, potentially affecting availability of applications or systems using this library. [1, 2, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to reproduce the assertion failure using the JasPer command-line tool with malformed codec options. Specifically, running the following command with a crafted input file triggers the vulnerability: ./jasper --output-format jp2 -O cblkwidth= --memory-limit 59395 --input POC_jasper_jpc_floorlog2_assertion_failure If the program aborts with an assertion failure message similar to: jasper: /workspace/benchmark/program/jasper-4.2.5/src/libjasper/jpc/jpc_math.c:89: unsigned int jpc_floorlog2(uint_fast32_t): Assertion `x > 0' failed. Aborted then the vulnerability is present. Monitoring for such crashes or SIGABRT signals in the JasPer encoder during local usage can also help detect exploitation attempts. [2, 4]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to apply the patch identified by commit 79185d32d7a444abae441935b20ae4676b3513d4, which adds proper validation checks on codec parameters such as codeblock width and height to prevent invalid zero or negative values from being processed. Until the patch is applied, avoid processing JPEG2000 images with malformed codec options, especially those that set parameters like cblkwidth to empty or invalid values. Restrict local access to the vulnerable JasPer encoder to trusted users only, as the exploit requires local access. [1, 3]