Medium severity4.4NVD Advisory· Published Feb 11, 2026· Updated Apr 24, 2026

CVE-2025-12474

Description

A specially-crafted file can cause libjxl's decoder to read pixel data from uninitialized (but allocated) memory.

This can be done by causing the decoder to reference an outside-image-bound area in a subsequent patches. An incorrect optimization causes the decoder to omit populating those areas.

Affected products

Libjxl Project/Libjxl
cpe:2.3:a:libjxl_project:libjxl:*:*:*:*:*:*:*:*
Range: >=0.7.0,<=0.11.1

Patches

4523cf652f56

https://github.com/libjxl/libjxlvia nvd-ref

PR #4495

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/libjxl/libjxl/pull/4495nvdIssue TrackingPatch

News mentions

No linked articles in our index yet.

cvss	0.286
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000