vulnerability

Red Hat: CVE-2024-11403: libjxl: Out of Bounds Memory Read/Write in libjxl

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
6	(AV:N/AC:M/Au:S/C:C/I:N/A:N)	Nov 25, 2024	Jul 9, 2025	Jul 25, 2025

Severity

CVSS

(AV:N/AC:M/Au:S/C:C/I:N/A:N)

Published

Nov 25, 2024

Added

Jul 9, 2025

Modified

Jul 25, 2025

Description

There exists an out of bounds read/write in LibJXL versions prior to commit 9cc451b91b74ba470fd72bd48c121e9f33d24c99. The JPEG decoder used by the JPEG XL encoder when doing JPEG recompression (i.e. if using JxlEncoderAddJPEGFrame on untrusted input) does not properly check bounds in the presence of incomplete codes. This could lead to an out-of-bounds write. In jpegli which is released as part of the same project, the same vulnerability is present. However, the relevant buffer is part of a bigger structure, and the code makes no assumptions on the values that could be overwritten. The issue could however cause jpegli to read uninitialised memory, or addresses of functions.

Solution

no-fix-redhat-rpm-package

References

NVD-CVE-2024-11403

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today