VDB
DEBIAN-CVE-2025-12474
DEBIAN-CVE-2025-12474
PUBLISHED
CVSS 4.400000095367432 MEDIUM
A specially-crafted file can cause libjxl's decoder to read pixel data from uninitialized (but allocated) memory. This can be done by causing the decoder to reference an outside-image-bound area in a subsequent patches. An incorrect optimization causes the decoder to omit populating those areas.
Risk Scores
CVSS 3.1
4.400000095367432
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:13 | jpeg-xl | 0.11.2-0.1, 0.11.1-6, 0.11.1-5 |
| Debian:12 | jpeg-xl | 0.11.1-6, 0.11.2-1, 0.7.0-10+deb12u1 |
| Debian:14 | jpeg-xl | 0.11.2-0.1, 0.11.1-6, 0.11.1-5 |
Exploit Intelligence
- build.ps1 (github-poc)
Timeline
- Feb 11, 2026 CVE Published
- May 16, 2026 CVE Updated