CVE-2025-12474

A specially-crafted file can cause libjxl's decoder to read pixel data from uninitialized (but allocated) memory. This can be done by causing the decoder to reference an outside-image-bound area in a subsequent patches. An incorrect optimization causes the decoder to omit populating those areas.

CVSS v3 4.4 MEDIUM

4.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 2.5

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/libjxl/libjxl/pull/4495	Issue Tracking Patch

Configurations

Configuration 1 (hide)

cpe:2.3:a:libjxl_project:libjxl:*:*:*:*:*:*:*:*

History

24 Apr 2026, 16:42

Type	Values Removed	Values Added
Summary		(es) Un archivo especialmente diseñado puede provocar que el decodificador de libjxl lea datos de píxeles de memoria no inicializada (pero asignada). Esto se puede lograr al provocar que el decodificador haga referencia a un área fuera de los límites de la imagen en parches posteriores. Una optimización incorrecta provoca que el decodificador omita poblar esas áreas.
References	~~() https://github.com/libjxl/libjxl/pull/4495 -~~	() https://github.com/libjxl/libjxl/pull/4495 - Issue Tracking, Patch
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 4.4
CPE		cpe:2.3:a:libjxl_project:libjxl::::::::
First Time		Libjxl Project libjxl Libjxl Project

11 Feb 2026, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-11 16:15

Updated : 2026-04-24 16:42

NVD link : CVE-2025-12474

Mitre link : CVE-2025-12474

CVE.ORG link : CVE-2025-12474

JSON object : View

Products Affected

libjxl_project

libjxl

CWE

CWE-908

Use of Uninitialized Resource

{"id": "CVE-2025-12474", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.4, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 1.8}], "cvssMetricV40": [{"type": "Secondary", "source": "cve-coordination@google.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 2.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-11T16:15:53.647", "references": [{"url": "https://github.com/libjxl/libjxl/pull/4495", "tags": ["Issue Tracking", "Patch"], "source": "cve-coordination@google.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "cve-coordination@google.com", "description": [{"lang": "en", "value": "CWE-908"}]}], "descriptions": [{"lang": "en", "value": "A specially-crafted file can cause libjxl's decoder to read pixel data from uninitialized (but allocated) memory.\n\nThis can be done by causing the decoder to reference an outside-image-bound area in a subsequent patches. An incorrect optimization causes the decoder to omit populating those areas."}, {"lang": "es", "value": "Un archivo especialmente dise\u00f1ado puede provocar que el decodificador de libjxl lea datos de p\u00edxeles de memoria no inicializada (pero asignada).\n\nEsto se puede lograr al provocar que el decodificador haga referencia a un \u00e1rea fuera de los l\u00edmites de la imagen en parches posteriores. Una optimizaci\u00f3n incorrecta provoca que el decodificador omita poblar esas \u00e1reas."}], "lastModified": "2026-04-24T16:42:18.960", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:libjxl_project:libjxl:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "55A18079-A86E-4EA1-ADD2-FEBB1A3F7A7B", "versionEndIncluding": "0.11.1", "versionStartIncluding": "0.7.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve-coordination@google.com"}