Unrated severityNVD Advisory· Published Nov 25, 2024· Updated Nov 25, 2024
Resource exhaustion via Stack overflow in libjxl
CVE-2024-11498
Description
There exists a stack buffer overflow in libjxl. A specifically-crafted file can cause the JPEG XL decoder to use large amounts of stack space (up to 256mb is possible, maybe 512mb), potentially exhausting the stack. An attacker can craft a file that will cause excessive memory usage. We recommend upgrading past commit 65fbec56bc578b6b6ee02a527be70787bbd053b0.
Affected products
14- Range: >0 || < fixed commit 65fbec56bc578b6b6ee02a527be70787bbd053b0
- osv-coords12 versionspkg:rpm/opensuse/libjxl&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/libjxl&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/libjxl&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/libjxl-gtk&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/mozjs115&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/mozjs115&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/mozjs128&distro=openSUSE%20Tumbleweedpkg:rpm/suse/libjxl&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP7pkg:rpm/suse/libjxl&distro=SUSE%20Package%20Hub%2015%20SP5pkg:rpm/suse/libjxl&distro=SUSE%20Package%20Hub%2015%20SP6pkg:rpm/suse/libjxl-gtk&distro=SUSE%20Package%20Hub%2015%20SP6pkg:rpm/suse/mozjs115&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP6
< 0.8.2-bp155.2.6.1+ 11 more
- (no CPE)range: < 0.8.2-bp155.2.6.1
- (no CPE)range: < 0.8.4-bp156.3.3.4
- (no CPE)range: < 0.11.1-1.1
- (no CPE)range: < 0.8.4-bp156.3.3.4
- (no CPE)range: < 115.4.0-150600.3.6.1
- (no CPE)range: < 115.15.0-4.1
- (no CPE)range: < 128.5.1-3.1
- (no CPE)range: < 0.10.3-150700.4.9.1
- (no CPE)range: < 0.8.2-bp155.2.6.1
- (no CPE)range: < 0.8.4-bp156.3.3.4
- (no CPE)range: < 0.8.4-bp156.3.3.4
- (no CPE)range: < 115.4.0-150600.3.6.1
- libjxl/libjxlv5Range: 0.11.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.