CVE-2022-34000

Vulnerability

libjxl versions prior to 0.7.0_pre20220825, including 0.6.1, contain an unnecessary assertion in the jxl::LowMemoryRenderPipeline::Init function within render_pipeline/low_memory_render_pipeline.cc. This assertion can be triggered by a specially crafted input file, causing the process to abort. The vulnerability is present in the JPEG XL image format reference implementation [1].

Exploitation

An attacker can exploit this vulnerability by providing a maliciously crafted JPEG XL image file to a libjxl-based application. No special network position or authentication is required; the attacker only needs to deliver the file to the target process (e.g., via a web browser, email attachment, or file upload). Upon processing the file, the assertion failure occurs, leading to immediate termination of the libjxl process [1].

Impact

Successful exploitation results in a denial of service (DoS) condition. The libjxl process crashes, potentially disrupting services that rely on the library for image decoding. The impact is limited to availability; there is no evidence of information disclosure or remote code execution [1].

Mitigation

The vulnerability is fixed in libjxl version 0.7.0_pre20220825 and later. Users should upgrade to this version or newer. As of the advisory, no workaround is available. The Gentoo security advisory (GLSA 202210-36) recommends updating the media-libs/libjxl package to the unaffected version [1].