Out of Bounds read in libjxl

Vulnerability

An out-of-bounds read vulnerability exists in the EXIF handler of the libjxl library. The bug resides in the lib/jxl/exif.h file and can be triggered when processing a specifically crafted JPEG XL (JXL) image file containing malformed EXIF metadata. All versions prior to 0.8.1 and commits before d95b050c1822a5b1ede9e0dc937e43fca1b10159 are affected [1][2].

Exploitation

An attacker must craft a JPEG XL image with specially constructed EXIF data. To exploit the vulnerability, the attacker only needs to coerce a victim into opening or processing this malicious JXL file using an application that relies on libjxl (e.g., an image viewer, a thumbnailer, or an online conversion service). No special network position or authentication is required; the attack vector is local or remote if the file is downloaded and processed [1][2].

Impact

A successful out-of-bounds read could leak sensitive data from the process memory, potentially exposing encryption keys, authentication tokens, or other confidential information. The read occurs at the privilege level of the application processing the malformed file. There is no indication of memory corruption or code execution; the primary impact is information disclosure [1][2].

Mitigation

The vulnerability is fixed in libjxl version 0.8.1 and in the specific commit d95b050c1822a5b1ede9e0dc937e43fca1b10159 [1][2]. Users should upgrade to libjxl 0.8.1 or later. If upgrading is not immediately possible, deploy input validation to reject images with suspicious or oversized EXIF segments. No known workaround other than patching is available.