CVE-2020-13790

HIGH

Libjpeg-turbo - Out-of-Bounds Read

Title source: rule
STIX 2.1

Description

libjpeg-turbo 2.0.4, and mozjpeg 4.0.0, has a heap-based buffer over-read in get_rgb_row() in rdppm.c via a malformed PPM input file.

References (9)

Core 9
Core References
Exploit, Third Party Advisory x_refsource_misc
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/433
Vendor Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/4386-1/
Mailing List mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2020/07/msg00033.html
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/202010-03

Scores

CVSS v3 8.1
EPSS 0.0048
EPSS Percentile 65.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

Details

CWE
CWE-125
Status published
Products (2)
libjpeg-turbo/libjpeg-turbo 2.0.4
mozilla/mozjpeg 4.0.0
Published Jun 03, 2020
Tracked Since Feb 18, 2026