Description
In libjpeg-turbo 2.0.2, a large amount of memory can be used during processing of an invalid progressive JPEG image containing incorrect width and height values in the image header. NOTE: the vendor's expectation, for use cases in which this memory usage would be a denial of service, is that the application should interpret libjpeg warnings as fatal errors (aborting decompression) and/or set limits on resource consumption or image sizes
References (2)
Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/337
Exploit, Patch, Vendor Advisory x_refsource_misc
https://libjpeg-turbo.org/pmwiki/uploads/About/TwoIssueswiththeJPEGStandard.pdf
Scores
CVSS v3
5.5
EPSS
0.0095
EPSS Percentile
56.7%
Attack Vector
LOCAL
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Details
CWE
CWE-770
Status
published
Products (1)
libjpeg-turbo/libjpeg-turbo
2.0.2
Published
Jul 18, 2019
Tracked Since
Feb 18, 2026