UBUNTU-CVE-2024-11498

See a problem?
Please try reporting it to the source first.
Source
https://ubuntu.com/security/CVE-2024-11498
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-11498.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2024-11498
Related
Published
2024-11-25T14:15:00Z
Modified
2025-07-03T05:07:19Z
Severity
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator
Summary
[none]
Details

There exists a stack buffer overflow in libjxl. A specifically-crafted file can cause the JPEG XL decoder to use large amounts of stack space (up to 256mb is possible, maybe 512mb), potentially exhausting the stack. An attacker can craft a file that will cause excessive memory usage. We recommend upgrading past commit 65fbec56bc578b6b6ee02a527be70787bbd053b0.

References

Affected packages

Ubuntu:24.10 / jpeg-xl

Package

Name
jpeg-xl
Purl
pkg:deb/ubuntu/jpeg-xl@0.10.3-4ubuntu1?arch=source&distro=oracular

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.7.0-10.2ubuntu6
0.8.2-3ubuntu1
0.9.2-7ubuntu1
0.9.2-8
0.9.2-9
0.9.2-9ubuntu1
0.9.2-10
0.10.3-4ubuntu1

Ecosystem specific 

{
    "ubuntu_priority": "medium"
}

Ubuntu:24.04:LTS / jpeg-xl

Package

Name
jpeg-xl
Purl
pkg:deb/ubuntu/jpeg-xl@0.7.0-10.2ubuntu6?arch=source&distro=noble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.7.0-10ubuntu2
0.7.0-10.2ubuntu1
0.7.0-10.2ubuntu4
0.7.0-10.2ubuntu5
0.7.0-10.2ubuntu6

Ecosystem specific 

{
    "ubuntu_priority": "medium"
}

Ubuntu:25.04 / jpeg-xl

Package

Name
jpeg-xl
Purl
pkg:deb/ubuntu/jpeg-xl@0.11.1-4?arch=source&distro=plucky

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.11.1-4

Affected versions

0.*

0.10.3-4ubuntu1
0.10.4-1
0.10.4-2
0.11.1-1

Ecosystem specific 

{
    "binaries": [
        {
            "binary_name": "jpeg-xl-doc",
            "binary_version": "0.11.1-4"
        },
        {
            "binary_name": "libjpegxl-java",
            "binary_version": "0.11.1-4"
        },
        {
            "binary_name": "libjpegxl-java-dbgsym",
            "binary_version": "0.11.1-4"
        },
        {
            "binary_name": "libjxl-dev",
            "binary_version": "0.11.1-4"
        },
        {
            "binary_name": "libjxl-devtools",
            "binary_version": "0.11.1-4"
        },
        {
            "binary_name": "libjxl-devtools-dbgsym",
            "binary_version": "0.11.1-4"
        },
        {
            "binary_name": "libjxl-gdk-pixbuf",
            "binary_version": "0.11.1-4"
        },
        {
            "binary_name": "libjxl-gdk-pixbuf-dbgsym",
            "binary_version": "0.11.1-4"
        },
        {
            "binary_name": "libjxl-tools",
            "binary_version": "0.11.1-4"
        },
        {
            "binary_name": "libjxl-tools-dbgsym",
            "binary_version": "0.11.1-4"
        },
        {
            "binary_name": "libjxl0.11",
            "binary_version": "0.11.1-4"
        },
        {
            "binary_name": "libjxl0.11-dbgsym",
            "binary_version": "0.11.1-4"
        }
    ],
    "ubuntu_priority": "medium",
    "availability": "No subscription required"
}