CVE-2026-1837

EUVD-2026-6177
A specially-crafted file can cause libjxl's decoder to write pixel data to uninitialized unallocated memory. Soon after that data from another uninitialized unallocated region is copied to pixel data.

This can be done by requesting color transformation of grayscale images to another grayscale color space. Buffers allocated for 1-float-per-pixel are used as if they are allocated for 3-float-per-pixel. That happens only if LCMS2 is used as CMS engine. There is another CMS engine available (selected by build flags).
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 9%
Affected Products (NVD)
VendorProductVersion
libjxl_projectlibjxl
0.9.0 ≤
𝑥
≤ 0.11.1
𝑥
= Vulnerable software versions
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
firefox
Amazon Linux 2023
0:140.7.1-1.amzn2023.0.1
fixed
firefox-debuginfo
Amazon Linux 2023
0:140.7.1-1.amzn2023.0.1
fixed
firefox-debugsource
Amazon Linux 2023
0:140.7.1-1.amzn2023.0.1
fixed
jpegxl-debuginfo
Amazon Linux 2023
1:0.10.3-55.amzn2023
fixed
jpegxl-debugsource
Amazon Linux 2023
1:0.10.3-55.amzn2023
fixed
jpegxl-doc
Amazon Linux 2023
1:0.10.3-55.amzn2023
fixed
jxl-pixbuf-loader
Amazon Linux 2023
1:0.10.3-55.amzn2023
fixed
jxl-pixbuf-loader-debuginfo
Amazon Linux 2023
1:0.10.3-55.amzn2023
fixed
libjxl
Amazon Linux 2023
1:0.10.3-55.amzn2023
fixed
libjxl-debuginfo
Amazon Linux 2023
1:0.10.3-55.amzn2023
fixed
libjxl-devel
Amazon Linux 2023
1:0.10.3-55.amzn2023
fixed
libjxl-devtools
Amazon Linux 2023
1:0.10.3-55.amzn2023
fixed
libjxl-devtools-debuginfo
Amazon Linux 2023
1:0.10.3-55.amzn2023
fixed
libjxl-utils
Amazon Linux 2023
1:0.10.3-55.amzn2023
fixed
libjxl-utils-debuginfo
Amazon Linux 2023
1:0.10.3-55.amzn2023
fixed
thunderbird
Amazon Linux 2
0:140.7.2-1.amzn2.0.1
fixed