Platform
c
Component
libjxl
Fixed in
0.6.1
CVE-2021-22563 describes an out-of-bounds read vulnerability discovered in libjxl, a library for JPEG XL image encoding and decoding. This flaw allows specially crafted JPEG XL images to trigger memory corruption during spline rendering, potentially leading to a denial of service or, in more severe cases, arbitrary code execution. The vulnerability affects versions of libjxl up to and including 0.6.0, and a patch is available on the libjxl GitHub repository.
An attacker could exploit this vulnerability by providing a malicious JPEG XL image to an application that uses libjxl for decoding. The crafted image would trigger an out-of-bounds read access within the std::vector<std::vector<T>> data structure used for spline rendering. This could lead to a segmentation fault, causing the application to crash. More critically, the out-of-bounds read could allow the attacker to read data from arbitrary memory locations, potentially revealing sensitive information or even overwriting critical data, leading to arbitrary code execution. The blast radius depends on the application using libjxl; if it's a core system component, the impact could be widespread.
CVE-2021-22563 was publicly disclosed on November 1, 2021. There is no indication of active exploitation at this time. A public proof-of-concept (PoC) is not currently available, but the vulnerability's nature suggests that one could be developed relatively easily. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.04% (14% percentile)
CVSS Vector
The primary mitigation for CVE-2021-22563 is to upgrade libjxl to a version greater than 0.6.0. This version includes a fix for the out-of-bounds read vulnerability. If upgrading is not immediately feasible, the vendor has provided a patch on the libjxl GitHub repository (https://github.com/libjxl/libjxl/pull/757) that can be applied to the existing version. Thoroughly test the upgrade or patch in a non-production environment before deploying to production. Consider implementing input validation to reject or sanitize potentially malicious JPEG XL images before processing them.
Update the libjxl library to a version later than 0.6.0 or apply the patch provided at https://github.com/libjxl/libjxl/pull/757 to fix the out-of-bounds read vulnerability when processing invalid JPEG XL images.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2021-22563 is a medium severity vulnerability in libjxl versions up to 0.6.0 that allows malicious JPEG XL images to trigger an out-of-bounds read, potentially leading to crashes or code execution.
You are affected if your system uses libjxl version 0.6.0 or earlier. Check your libjxl version and upgrade if necessary.
Upgrade libjxl to a version greater than 0.6.0. Alternatively, apply the patch available on the libjxl GitHub repository: https://github.com/libjxl/libjxl/pull/757.
There is currently no evidence of active exploitation of CVE-2021-22563.
Refer to the libjxl GitHub repository for information and updates: https://github.com/libjxl/libjxl
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.