CVE-2024-0142 is a vulnerability classified under CWE-787 (Out-of-bounds Write) found in NVIDIA's nvJPEG2000 library version 0.8.0. The flaw arises when the library processes a specially crafted JPEG2000 image file, leading to an out-of-bounds write condition. This memory corruption can potentially allow an attacker to overwrite adjacent memory regions, which may result in arbitrary code execution or data tampering. The vulnerability is remotely exploitable over a network (AV:N) but requires high attack complexity (AC:H), no privileges (PR:N), and user interaction (UI:R). The scope is unchanged (S:U), meaning the impact is limited to the vulnerable component. The CVSS v3.1 base score is 6.8, indicating a medium severity level. The integrity and availability impacts are high, while confidentiality impact is none. No known exploits have been reported in the wild, and no patches have been published yet. The nvJPEG2000 library is used in NVIDIA’s GPU-accelerated image processing pipelines, often integrated into software handling JPEG2000 images in various industries. Exploiting this vulnerability could allow attackers to execute arbitrary code or modify data, potentially disrupting services or compromising system integrity. Due to the requirement for user interaction, exploitation might occur through social engineering or malicious file delivery. The vulnerability was reserved in December 2023 and published in February 2025, indicating a recent discovery. Organizations using NVIDIA’s nvJPEG2000 library should be vigilant and prepare to apply patches once available.

The vulnerability poses a significant risk to organizations that utilize NVIDIA's nvJPEG2000 library for processing JPEG2000 images, especially in environments where untrusted image files are handled. Successful exploitation can lead to arbitrary code execution, allowing attackers to run malicious code within the context of the vulnerable application, potentially leading to full system compromise. Data tampering could undermine the integrity of image data or related processing workflows, impacting reliability and trustworthiness of outputs. Availability may also be affected if the exploit causes application crashes or system instability. Given the remote network attack vector and lack of required privileges, attackers could target exposed services or users who open malicious JPEG2000 files. The need for user interaction reduces the likelihood of automated widespread exploitation but does not eliminate targeted attacks, particularly in sectors relying heavily on NVIDIA GPU-accelerated image processing such as media, scientific research, and defense. The absence of patches and known exploits means organizations currently face a window of exposure. The impact extends to confidentiality indirectly if attackers leverage code execution to escalate privileges or move laterally within networks.

Until official patches are released by NVIDIA, organizations should implement several practical mitigations: 1) Restrict or block untrusted JPEG2000 files from being processed by systems using the nvJPEG2000 library, especially from external or unknown sources. 2) Employ robust file validation and sandboxing techniques to isolate image processing tasks, limiting the potential damage from exploitation. 3) Monitor network and endpoint logs for unusual activity related to JPEG2000 file handling or nvJPEG2000 library usage. 4) Educate users about the risks of opening untrusted image files and implement policies to reduce user interaction with potentially malicious content. 5) Use application whitelisting and least privilege principles to limit the execution context of vulnerable applications. 6) Prepare for rapid deployment of patches once NVIDIA releases updates by maintaining an inventory of affected systems and software versions. 7) Consider alternative image processing libraries or workflows if immediate risk reduction is necessary and feasible. 8) Employ intrusion detection systems with signatures or heuristics targeting JPEG2000 exploitation attempts when available.