CVE-2024-0144 identifies a classic buffer overflow vulnerability (CWE-120) in NVIDIA's nvJPEG2000 library version 0.8.0. The vulnerability occurs due to a lack of proper input size validation during buffer copy operations when processing JPEG2000 image files. An attacker can craft a malicious JPEG2000 file that triggers this buffer overflow, potentially overwriting adjacent memory. This can lead to data tampering, compromising the integrity of the processed data, and may also cause denial of service by crashing the application or system component using the library. The vulnerability is remotely exploitable over the network (AV:N), requires high attack complexity (AC:H), no privileges (PR:N), but does require user interaction (UI:R), such as opening or processing the malicious file. The scope is unchanged (S:U), meaning the impact is limited to the vulnerable component. The CVSS v3.1 base score is 6.8, indicating medium severity, with impacts on integrity and availability but no confidentiality loss. Currently, no public exploits or patches are available, and the vulnerability was reserved in December 2023 and published in February 2025. The nvJPEG2000 library is used in NVIDIA's software stack for JPEG2000 image decoding, which is relevant in graphics processing, AI workloads, and potentially other multimedia applications.

The vulnerability poses a significant risk to organizations relying on NVIDIA's nvJPEG2000 library for JPEG2000 image processing. Successful exploitation can lead to data tampering, undermining the integrity of image data or any dependent processing workflows. Additionally, the buffer overflow can cause application or system crashes, impacting availability and potentially leading to denial of service conditions. This could disrupt services in environments where image processing is critical, such as AI model training, medical imaging, or multimedia content delivery. Since exploitation requires user interaction, phishing or social engineering could be vectors to deliver malicious JPEG2000 files. The lack of privilege requirements and network attack vector increases the exposure, especially in environments where untrusted image files are processed automatically or by end users. Although no confidentiality impact is noted, the integrity and availability impacts can have downstream effects on business operations, data accuracy, and service reliability.

1. Monitor NVIDIA's official channels for patches addressing CVE-2024-0144 and apply updates promptly once available. 2. Until patches are released, implement strict input validation and sanitization for JPEG2000 files before processing with nvJPEG2000. 3. Employ sandboxing or containerization techniques to isolate the image processing components, limiting the impact of potential exploitation. 4. Restrict the acceptance of JPEG2000 files from untrusted or unauthenticated sources, especially in automated workflows. 5. Educate users about the risks of opening untrusted image files and implement security awareness training to reduce the likelihood of user interaction exploitation. 6. Use runtime application self-protection (RASP) or intrusion detection systems to monitor for anomalous behavior during image processing. 7. Review and harden network controls to limit exposure of services that process JPEG2000 images to trusted networks only. 8. Conduct code audits and fuzz testing on image processing components to identify and remediate similar vulnerabilities proactively.