[jira] [Created] (XGC-149) Apache Batik and XML Graphics falsely implicated by CVE-2026-24806

Fri, 03 Apr 2026 15:47:15 -0700 

Joshua Marquart created XGC-149:
-----------------------------------

             Summary: Apache Batik and XML Graphics falsely implicated by 
CVE-2026-24806
                 Key: XGC-149
                 URL: https://issues.apache.org/jira/browse/XGC-149
             Project: XMLGraphicsCommons
          Issue Type: Improvement
          Components: image writer
    Affects Versions: 2.11
            Reporter: Joshua Marquart


This is not a bug in XMLGraphics or Batik; this issue is opened for 
notification / tracking purposes.

According to the National Vulnerability Database (NVD) and downstream advisory 
databases, CVE-2026-24806 applies to

Vendor: liuyueyi
Project: quick-media
Affected module: batik-codec-fix
Affected file: PNGImageEncoder.java
Vulnerability type: CWE‑94 — Improper Control of Code Generation

It does not apply to the following artifacts:
org.apache.xmlgraphics:batik-codec:1.19
org.apache.xmlgraphics:xmlgraphics-commons:2.11

However, note that Sonatype Lifecycle scans are currently false-flagging the 
above artifacts as vulnerable.

All 3 artifacts contain 
org.apache.batik.ext.awt.image.codec.png.PNGImageEncoder at different levels; 
Quick-Media forked batik-codec-fix from batik several versions ago.  This is a 
fork attribution issue, not an Apache Batik defect.

Sonatype Uses Heuristic Class Matching; it identifies risk using:
1 Bytecode similarity
2 Class and package name matching
3 Historical association

This approach intentionally over‑flags components when a vulnerable class name 
appears, even if:
1 The CVE vendor does not match
2 The upstream implementation differs
3 The vulnerable behavior is absent

This explains why batik-codec:1.19 and xmlgraphics-commons:2.11 are flagged, 
despite not being listed as affected by any CVE authority.

Sonatype vendor has been notified.

Casual suggestion for teams facing this issue:

Apply a policy waiver / suppression for:
org.apache.xmlgraphics:batik-codec:1.19
org.apache.xmlgraphics:xmlgraphics-commons:2.11

Justification:
CVE applies exclusively to the Quick‑Media fork (batik-codec-fix).
Apache Batik and XML Graphics artifacts are not listed as affected by NVD, 
CVE.org, GitHub Advisories, or SentinelOne.
No vulnerable code path exists in the official Apache releases.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to