Lucene search

GoogleCVELIST:CVE-2021-22563

HistoryNov 01, 2021 - 1:10 p.m.

CVE-2021-22563 Memory Overread in libjxl

2021-11-0113:10:13

CWE-126

Google

www.cve.org

cve-2021-22563

memory overread

libjxl

jpeg xl

out of bounds access

splines

segfault

upgrade

patch

github.

CVSS3

4.5

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

AI Score

4.9

Confidence

High

EPSS

Percentile

12.8%

JSON

Invalid JPEG XL images using libjxl can cause an out of bounds access on a std::vector<std::vector<T>> when rendering splines. The OOB read access can either lead to a segfault, or rendering splines based on other process memory. It is recommended to upgrade past 0.6.0 or patch with https://github.com/libjxl/libjxl/pull/757

CNA Affected

[
  {
    "product": "libjxl",
    "vendor": "Google LLC",
    "versions": [
      {
        "lessThanOrEqual": "0.6.0",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

github.com/libjxl/libjxl/issues/735

github.com/libjxl/libjxl/pull/757