Skip to main content

jxl-oxide CVE-2026-52834

HIGH
Heap-based Buffer Overflow (CWE-122)
2026-07-02 https://github.com/tirr-c/jxl-oxide GHSA-5pmv-rx8r-wmv5
7.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.3 HIGH
AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:H
vuln.today AI
7.4 HIGH

Crafted image must be decoded (AV:L) on a 32-bit target with overflow-triggering dimensions (AC:H); no auth (PR:N); attacker-controlled heap OOB write plausibly yields code execution within the process (S:U, C/I/A:H).

3.1 AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 02, 2026 - 21:21 vuln.today
CVE Published
Jul 02, 2026 - 20:45 github-advisory
HIGH 7.3

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 13 cargo packages depend on jxl-grid (8 direct, 5 indirect)

Ecosystem-wide dependent count for version 0.6.2.

DescriptionGitHub Advisory

Summary

On 32-bit platforms, decoding a crafted image may lead to out-of-bounds writes due to integer overflow in length calculation.

Details & PoC

The test listed below fail under miri with command cargo +nightly miri test --release -p jxl-grid

Or you can use Address Sanitizer, which ignores Rust-specific UB like aliasing but still flags out-of-bounds accesses:

RUSTFLAGS=-Zsanitizer=address cargo +nightly test -Zbuild-std -p jxl-grid --release --target x86_64-unknown-linux-gnu

The following tests should be appended to crates/jxl-grid/src/test/subgrids.rs:

rust
mod miri_ub {
    use super::*;

    // `AlignedGrid::with_alloc_tracker` computes `width * height` unchecked. In release, overflow
    // can create a tiny backing buffer for huge logical dimensions.
    #[test]
    fn aligned_grid_dimension_product_overflows() {
        let width = usize::MAX / 2 + 1;
        let mut grid = AlignedGrid::<u8>::with_alloc_tracker(width, 2, None).unwrap();
        let mut subgrid = grid.as_subgrid_mut();
        *subgrid.get_mut(0, 1) = 1;
        std::hint::black_box(grid);
    }
}

This issue can be reachable through decoding a crafted image in two ways:

  1. Huge actual frame

A frame such as 65536 x 65536 passes the current frame area limit (2^32 <= 2^40) but overflows usize element count on 32-bit. Rendering then allocates too-small AlignedGrids in modular/VarDCT/filter paths and later writes through mutable subgrids.

  1. Huge canvas plus tiny cropped frame

This is the more practical “small payload, huge logical output” case. A bitstream-controlled frame crop can be tiny, but if the canvas/default requested region is huge, composition can allocate an output grid sized to the canvas/ROI at crates/jxl-render/src/blend.rs. That is bitstream frame cropping, not API crop. With a 32-bit target and a full requested image region whose area overflows, this can happen through ordinary render_frame().

Impact

On 32-bit platforms this can cause out-of-bounds writes with attacker-controlled data when decoding a crafted JPEG XL image. This could allow arbitrary code execution.

AnalysisAI

Heap out-of-bounds writes in jxl-oxide's jxl-grid crate allow attacker-controlled memory corruption on 32-bit platforms when decoding a crafted JPEG XL image, potentially leading to arbitrary code execution. An integer overflow in AlignedGrid's width×height length calculation produces an undersized backing buffer for huge logical dimensions, after which rendering writes through mutable subgrids beyond the allocation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft JPEG XL with overflowing canvas/frame area
Delivery
Deliver image to 32-bit decoder
Exploit
render_frame allocates undersized AlignedGrid
Execution
Integer overflow in width×height wraps
Persist
Write through subgrid past buffer
Impact
Heap corruption, potential code execution

Vulnerability AssessmentAI

Exploitation Exploitation requires the vulnerable code to run on a 32-bit platform (32-bit usize) - this is the hard prerequisite and the primary limiting factor, as 64-bit builds cannot trigger the overflow. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:H, base 7.3) captures the key nuance: no authentication (PR:N) but high attack complexity (AC:H) because exploitation is strictly conditional on a 32-bit target and on triggering the specific integer-overflow arithmetic - on mainstream 64-bit systems the product does not overflow and the bug is not reachable. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a JPEG XL file that declares a huge canvas/requested region (or a huge frame such as 65536×65536) while carrying a tiny cropped frame payload, then delivers it to a 32-bit application that decodes it via render_frame(). The integer-overflow-induced undersized allocation is written past its bounds during composition, corrupting the heap with attacker-influenced data and potentially achieving code execution. …
Remediation Upgrade jxl-grid (and the parent jxl-oxide) to the patched release identified in the vendor advisory; no exact fix version is included in the provided data, so determine the fixed version from RUSTSEC-2026-0151 (https://rustsec.org/advisories/RUSTSEC-2026-0151.html) and GHSA-5pmv-rx8r-wmv5 (https://github.com/tirr-c/jxl-oxide/security/advisories/GHSA-5pmv-rx8r-wmv5), then run cargo update -p jxl-grid and rebuild. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: inventory all deployments of jxl-oxide, identifying 32-bit systems and those processing untrusted images as highest priority. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-52834 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy