CVE-2021-45928

MEDIUM

libjxl < 0.6.1 - Out-of-bounds Write in ModularFrameDecoder

Title source: llm
STIX 2.1

Description

libjxl b02d6b9, as used in libvips 8.11 through 8.11.2 and other products, has an out-of-bounds write in jxl::ModularFrameDecoder::DecodeGroup (called from jxl::FrameDecoder::ProcessACGroup and jxl::ThreadPool::RunCallState<jxl::FrameDecoder::ProcessSections).

References (5)

Core 5
Core References
Exploit, Issue Tracking, Third Party Advisory x_refsource_misc
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36456
Issue Tracking, Patch, Third Party Advisory x_refsource_misc
https://github.com/libjxl/libjxl/issues/360
Patch, Third Party Advisory x_refsource_misc
https://github.com/libjxl/libjxl/pull/365
Patch, Third Party Advisory x_refsource_misc
https://github.com/libjxl/libjxl/compare/v0.5...v0.6

Scores

CVSS v3 5.5
EPSS 0.0039
EPSS Percentile 31.4%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-787
Status published
Products (1)
libjxl_project/libjxl < 0.6.1
Published Jan 01, 2022
Tracked Since Feb 18, 2026