CVE-2020-14152

Vulnerability

In IJG JPEG (libjpeg) versions prior to 9d, the jpeg_mem_available() function in jmemnobs.c does not honor the max_memory_to_use setting. This oversight allows memory allocation to exceed the configured limit, potentially leading to excessive memory consumption when processing crafted JPEG files [1].

Exploitation

An attacker can exploit this vulnerability by providing a specially crafted JPEG image to an application that uses the affected libjpeg library (e.g., djpeg). No authentication is required; the attack relies on user interaction, such as opening the malicious image. The library will allocate memory without respecting the user-defined limit, gradually exhausting available memory [1].

Impact

Successful exploitation results in uncontrolled memory consumption, leading to a denial-of-service (DoS) condition. The application or system may become unresponsive or crash due to memory exhaustion. The impact is limited to availability; no data confidentiality or integrity is compromised [1].

Mitigation

The vulnerability is fixed in libjpeg version 9d, released on 2020-06-15. Users should update to version 9d or later. No workarounds are documented in the available references [1].