CVE-2019-12973

Name: CVE-2019-12973
Creator: NVD / NIST
Published: 2019-06-26T18:15:10.12+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 5.5/10EPSS 2.60%

Last modified Jun 17, 2026

CVE-2019-12973 is a medium-severity vulnerability rated 5.5/10 on the CVSS scale. In OpenJPEG 2.3.1, there is excessive iteration in the opj_t1_encode_cblks function of openjp2/t1.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted bmp file. EPSS estimates a 2.60% chance of exploitation in the next 30 days.

Description

In OpenJPEG 2.3.1, there is excessive iteration in the opj_t1_encode_cblks function of openjp2/t1.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted bmp file. This issue is similar to CVE-2018-6616.

Metrics

CVSS 3.1

5.5/10

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

EPSS Probability

2.60%

83.4th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-834

Affected Software

Vendor	Product	Versions
Uclouvain	Openjpeg	2.3.1
Opensuse	Leap	15.0
Opensuse	Leap	15.1
Debian	Debian Linux	9.0
Oracle	Database Server	18c
Oracle	Outside In Technology	8.5.4
Oracle	Outside In Technology	8.5.5

References

http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00088.htmlMailing List, Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00090.htmlMailing List, Third Party Advisory
http://www.securityfocus.com/bid/108900Third Party Advisory, VDB Entry
https://github.com/uclouvain/openjpeg/commit/8ee335227bbcaf1614124046aa25e53d67b11ec3Patch, Third Party Advisory
https://github.com/uclouvain/openjpeg/pull/1185/commits/cbe7384016083eac16078b359acd7a842253d503Broken Link
https://lists.debian.org/debian-lts-announce/2020/07/msg00008.htmlMailing List, Third Party Advisory
https://security.gentoo.org/glsa/202101-29Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.htmlThird Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.htmlThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00088.htmlMailing List, Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00090.htmlMailing List, Third Party Advisory
http://www.securityfocus.com/bid/108900Third Party Advisory, VDB Entry
https://github.com/uclouvain/openjpeg/commit/8ee335227bbcaf1614124046aa25e53d67b11ec3Patch, Third Party Advisory
https://github.com/uclouvain/openjpeg/pull/1185/commits/cbe7384016083eac16078b359acd7a842253d503Broken Link
https://lists.debian.org/debian-lts-announce/2020/07/msg00008.htmlMailing List, Third Party Advisory
https://security.gentoo.org/glsa/202101-29Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.htmlThird Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.htmlThird Party Advisory

Timeline

Published: Jun 26, 2019
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2019-12973?

How severe is CVE-2019-12973?

CVE-2019-12973 has a CVSS score of 5.5/10 (MEDIUM severity). The EPSS model estimates a 2.60% probability of exploitation in the next 30 days.

How do I fix CVE-2019-12973?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2019-12973?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST