CVE-2018-5268: Out-of-bounds Write in OpenCV.
5.5
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.54575%
CWE
Published
10/12/2021
Updated
2/1/2023
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
opencv-python | pip | <= 3.3.1.11 | 3.4.1.15 |
opencv-contrib-python | pip | <= 3.3.1.11 | 3.4.1.15 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The CVE description explicitly names cv::Jpeg2KDecoder::readComponent8u as the vulnerable function. The GitHub issue (#10541) shows an ASAN trace pointing to line 343 of grfmt_jpeg2000.cpp during the overflow. The patch (435a3e3) adds validation checks (CV_Assert) for component parameters like xstart=0, ystart=0, step=1, and data type consistency - all of which were missing in the original code. These missing checks allowed out-of-bounds writes when processing malformed images.