jxl-oxide CVE-2026-52834
HIGHSeverity by source
AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:H
Crafted image must be decoded (AV:L) on a 32-bit target with overflow-triggering dimensions (AC:H); no auth (PR:N); attacker-controlled heap OOB write plausibly yields code execution within the process (S:U, C/I/A:H).
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:H
Lifecycle Timeline
2Blast Radius
ecosystem impact- 13 cargo packages depend on jxl-grid (8 direct, 5 indirect)
Ecosystem-wide dependent count for version 0.6.2.
DescriptionGitHub Advisory
Summary
On 32-bit platforms, decoding a crafted image may lead to out-of-bounds writes due to integer overflow in length calculation.
Details & PoC
The test listed below fail under miri with command cargo +nightly miri test --release -p jxl-grid
Or you can use Address Sanitizer, which ignores Rust-specific UB like aliasing but still flags out-of-bounds accesses:
RUSTFLAGS=-Zsanitizer=address cargo +nightly test -Zbuild-std -p jxl-grid --release --target x86_64-unknown-linux-gnu
The following tests should be appended to crates/jxl-grid/src/test/subgrids.rs:
mod miri_ub {
use super::*;
// `AlignedGrid::with_alloc_tracker` computes `width * height` unchecked. In release, overflow
// can create a tiny backing buffer for huge logical dimensions.
#[test]
fn aligned_grid_dimension_product_overflows() {
let width = usize::MAX / 2 + 1;
let mut grid = AlignedGrid::<u8>::with_alloc_tracker(width, 2, None).unwrap();
let mut subgrid = grid.as_subgrid_mut();
*subgrid.get_mut(0, 1) = 1;
std::hint::black_box(grid);
}
}This issue can be reachable through decoding a crafted image in two ways:
- Huge actual frame
A frame such as 65536 x 65536 passes the current frame area limit (2^32 <= 2^40) but overflows usize element count on 32-bit. Rendering then allocates too-small AlignedGrids in modular/VarDCT/filter paths and later writes through mutable subgrids.
- Huge canvas plus tiny cropped frame
This is the more practical “small payload, huge logical output” case. A bitstream-controlled frame crop can be tiny, but if the canvas/default requested region is huge, composition can allocate an output grid sized to the canvas/ROI at crates/jxl-render/src/blend.rs. That is bitstream frame cropping, not API crop. With a 32-bit target and a full requested image region whose area overflows, this can happen through ordinary render_frame().
Impact
On 32-bit platforms this can cause out-of-bounds writes with attacker-controlled data when decoding a crafted JPEG XL image. This could allow arbitrary code execution.
AnalysisAI
Heap out-of-bounds writes in jxl-oxide's jxl-grid crate allow attacker-controlled memory corruption on 32-bit platforms when decoding a crafted JPEG XL image, potentially leading to arbitrary code execution. An integer overflow in AlignedGrid's width×height length calculation produces an undersized backing buffer for huge logical dimensions, after which rendering writes through mutable subgrids beyond the allocation. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the vulnerable code to run on a 32-bit platform (32-bit usize) - this is the hard prerequisite and the primary limiting factor, as 64-bit builds cannot trigger the overflow. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:H, base 7.3) captures the key nuance: no authentication (PR:N) but high attack complexity (AC:H) because exploitation is strictly conditional on a 32-bit target and on triggering the specific integer-overflow arithmetic - on mainstream 64-bit systems the product does not overflow and the bug is not reachable. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a JPEG XL file that declares a huge canvas/requested region (or a huge frame such as 65536×65536) while carrying a tiny cropped frame payload, then delivers it to a 32-bit application that decodes it via render_frame(). The integer-overflow-induced undersized allocation is written past its bounds during composition, corrupting the heap with attacker-influenced data and potentially achieving code execution. … |
| Remediation | Upgrade jxl-grid (and the parent jxl-oxide) to the patched release identified in the vendor advisory; no exact fix version is included in the provided data, so determine the fixed version from RUSTSEC-2026-0151 (https://rustsec.org/advisories/RUSTSEC-2026-0151.html) and GHSA-5pmv-rx8r-wmv5 (https://github.com/tirr-c/jxl-oxide/security/advisories/GHSA-5pmv-rx8r-wmv5), then run cargo update -p jxl-grid and rebuild. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: inventory all deployments of jxl-oxide, identifying 32-bit systems and those processing untrusted images as highest priority. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Heap Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-5pmv-rx8r-wmv5