Plateforme
c
Composant
libjxl
Corrigé dans
0.6.1
CVE-2021-22563 describes an out-of-bounds read vulnerability discovered in libjxl, a library for JPEG XL image encoding and decoding. This flaw allows specially crafted JPEG XL images to trigger memory corruption during spline rendering, potentially leading to a denial of service or, in more severe cases, arbitrary code execution. The vulnerability affects versions of libjxl up to and including 0.6.0, and a patch is available on the libjxl GitHub repository.
An attacker could exploit this vulnerability by providing a malicious JPEG XL image to an application that uses libjxl for decoding. The crafted image would trigger an out-of-bounds read access within the std::vector<std::vector<T>> data structure used for spline rendering. This could lead to a segmentation fault, causing the application to crash. More critically, the out-of-bounds read could allow the attacker to read data from arbitrary memory locations, potentially revealing sensitive information or even overwriting critical data, leading to arbitrary code execution. The blast radius depends on the application using libjxl; if it's a core system component, the impact could be widespread.
CVE-2021-22563 was publicly disclosed on November 1, 2021. There is no indication of active exploitation at this time. A public proof-of-concept (PoC) is not currently available, but the vulnerability's nature suggests that one could be developed relatively easily. The vulnerability is not currently listed on the CISA KEV catalog.
Applications and systems that utilize libjxl for JPEG XL image decoding are at risk. This includes image processing software, media players, and web applications that handle JPEG XL images. Specifically, systems relying on older, unpatched versions of libjxl (≤0.6.0) are particularly vulnerable.
• c/linux: Use lsof or ps to identify processes using libjxl. Monitor these processes for unexpected crashes or memory access errors. Review system logs for any errors related to libjxl or image decoding.
lsof | grep libjxl
ps aux | grep libjxl• c/windows: Use Process Explorer to identify processes using libjxl. Monitor these processes for crashes or memory access violations. Examine Windows Event Logs for application errors related to libjxl. • generic web: If libjxl is used in a web application, monitor web server error logs for any errors related to image processing or decoding. Inspect HTTP requests for unusual JPEG XL image content.
disclosure
Statut de l'Exploit
EPSS
0.04% (percentile 14%)
Vecteur CVSS
The primary mitigation for CVE-2021-22563 is to upgrade libjxl to a version greater than 0.6.0. This version includes a fix for the out-of-bounds read vulnerability. If upgrading is not immediately feasible, the vendor has provided a patch on the libjxl GitHub repository (https://github.com/libjxl/libjxl/pull/757) that can be applied to the existing version. Thoroughly test the upgrade or patch in a non-production environment before deploying to production. Consider implementing input validation to reject or sanitize potentially malicious JPEG XL images before processing them.
Actualice la biblioteca libjxl a una versión posterior a 0.6.0 o aplique el parche proporcionado en https://github.com/libjxl/libjxl/pull/757 para corregir la vulnerabilidad de lectura fuera de límites al procesar imágenes JPEG XL inválidas.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2021-22563 is a medium severity vulnerability in libjxl versions up to 0.6.0 that allows malicious JPEG XL images to trigger an out-of-bounds read, potentially leading to crashes or code execution.
You are affected if your system uses libjxl version 0.6.0 or earlier. Check your libjxl version and upgrade if necessary.
Upgrade libjxl to a version greater than 0.6.0. Alternatively, apply the patch available on the libjxl GitHub repository: https://github.com/libjxl/libjxl/pull/757.
There is currently no evidence of active exploitation of CVE-2021-22563.
Refer to the libjxl GitHub repository for information and updates: https://github.com/libjxl/libjxl
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.