CVE-2024-11498

Name
CVE-2024-11498
Description
There exists a stack buffer overflow in libjxl. A specifically-crafted file can cause the JPEG XL decoder to use large amounts of stack space (up to 256mb is possible, maybe 512mb), potentially exhausting the stack. An attacker can craft a file that will cause excessive memory usage. We recommend upgrading past commit 65fbec56bc578b6b6ee02a527be70787bbd053b0.
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
https://github.com/libjxl/libjxl/pull/3943

Match rules

CPE URI Source package Min version Max version
libjxl >= 0.11.0 < 65fbec56bc578b6b6ee02a527be70787bbd053b0
libjxl >= 0.10.0-2 < 65fbec56bc578b6b6ee02a527be70787bbd053b0
libjxl >= 0.9.0-3 < 65fbec56bc578b6b6ee02a527be70787bbd053b0
libjxl >= 0.8.0-3 < 65fbec56bc578b6b6ee02a527be70787bbd053b0
libjxl >= 0.7.0-1 < 65fbec56bc578b6b6ee02a527be70787bbd053b0
cpe:2.3:a:libjxl_project:libjxl:*:*:*:*:*:*:*:* libjxl >= None < 0.8.4

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
libjxl edge-community 0.11.1-r3 Alex Xu (Hello71) <alex_y_xu@yahoo.ca> fixed
libjxl edge-community 0.11.1-r2 Alex Xu (Hello71) <alex_y_xu@yahoo.ca> fixed
libjxl edge-community 0.11.1-r1 Alex Xu (Hello71) <alex_y_xu@yahoo.ca> fixed
libjxl edge-community 0.11.1-r0 Alex Xu (Hello71) <alex_y_xu@yahoo.ca> fixed
libjxl edge-community 0.10.3-r2 Alex Xu (Hello71) <alex_y_xu@yahoo.ca> possibly vulnerable
libjxl edge-community 0.10.3-r1 Alex Xu (Hello71) <alex_y_xu@yahoo.ca> possibly vulnerable
libjxl edge-community 0.10.3-r0 Alex Xu (Hello71) <alex_y_xu@yahoo.ca> possibly vulnerable
libjxl 3.22-community 0.10.4-r0 Alex Xu (Hello71) <alex_y_xu@yahoo.ca> possibly vulnerable
libjxl 3.22-community 0.10.3-r2 Alex Xu (Hello71) <alex_y_xu@yahoo.ca> possibly vulnerable
libjxl 3.21-community 0.10.4-r0 Alex Xu (Hello71) <alex_y_xu@yahoo.ca> fixed
libjxl 3.20-community 0.10.2-r0 Alex Xu (Hello71) <alex_y_xu@yahoo.ca> possibly vulnerable