CVE-2024-11403

EUVD-2024-33796

25.11.2024, 14:15

There exists an out of bounds read/write in LibJXL versions prior to commit 9cc451b91b74ba470fd72bd48c121e9f33d24c99. The JPEG decoder used by the JPEG XL encoder when doing JPEG recompression (i.e. if using JxlEncoderAddJPEGFrame on untrusted input) does not properly check bounds in the presence of incomplete codes. This could lead to an out-of-bounds write. In jpegli which is released as part of the same project, the same vulnerability is present. However, the relevant buffer is part of a bigger structure, and the code makes no assumptions on the values that could be overwritten. The issue could however cause jpegli to read uninitialised memory, or addresses of functions.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 18%

Affected Products (NVD)

Vendor	Product	Version
libjxl_project	libjxl	𝑥 < 0.8.4

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

jpeg-xl

bookworm	0.7.0-10+deb12u1 fixed
bookworm (security)	0.7.0-10+deb12u1 fixed
forky	0.11.1-6 fixed
sid	0.11.1-6 fixed
trixie	0.11.1-4 fixed

Ubuntu Releases

Ubuntu Product

Codename

jpeg-xl

focal	dne
jammy	dne
noble	Fixed 0.7.0-10.2ubuntu6.1 released
oracular	ignored
plucky	not-affected

Common Weakness Enumeration

CWE-125 - Out-of-bounds Read
The software reads data past the end, or before the beginning, of the intended buffer.

References

https://github.com/libjxl/libjxl/commit/9cc451b91b74ba470fd72bd48c121e9f33d24c99