Severe nvJPEG2000 Vulnerabilities (CVSS 9.8) in NVIDIA’s GPU Library Could Lead to Code Execution
Ddos 
NVIDIA has issued patches for three critical vulnerabilities discovered in its nvJPEG2000 library, a high-performance GPU-accelerated tool for decoding JPEG 2000 images. These flaws, all carrying a maximum CVSS score of 9.8, could allow attackers to execute arbitrary code on vulnerable systems by simply providing a malicious JPEG 2000 file. The vulnerabilities affect version 0.8.0 of the library.
The three CVEs highlight different attack vectors within the nvJPEG2000 library:
- CVE-2024-0143: Coding Style Component Index Out-of-Bounds Write: This vulnerability resides in the library’s handling of the Coding Style Component. A specially crafted JPEG 2000 file can trigger an out-of-bounds write, corrupting memory and potentially leading to arbitrary code execution.
- CVE-2024-0144: Ndecomp Heap-Based Buffer Overflow: A heap-based buffer overflow can occur in the Ndecomp field handling. Again, a malicious JPEG 2000 file can cause an overwrite of adjacent heap memory, resulting in memory corruption and possible arbitrary code execution.
- CVE-2024-0145: Default Coding Styles Ndecomp Buffer Overflow: This heap-based buffer overflow involves the Ndecomp parameter used during JPEG 2000 file parsing. A specially crafted file can lead to memory corruption and arbitrary code execution.
All three vulnerabilities share a common attack vector: the delivery of a specially crafted JPEG 2000 file. This makes them particularly concerning, as such files could be delivered through various means, including email attachments, malicious websites, or even seemingly innocuous downloads.
The vulnerabilities were discovered by Dimitrios Tatsis of Cisco Talos, who also published the technical details for each flaw. NVIDIA responded by releasing patches on February 11, 2025.
Users relying on nvJPEG2000 for image decoding are strongly urged to update to the patched version immediately. Failure to do so could leave systems vulnerable to remote code execution, potentially allowing attackers to take control of affected machines. Given the high severity of these vulnerabilities, prompt action is crucial to mitigate the risk.
Related Posts:
💙 Support SecurityOnline.info
If this article helped you stay informed, please consider supporting us below.
PayPal