Login Sign Up

CVE-2021-28026

7.8 HIGH
Remote Code Execution Denial of Service

📋 TL;DR

CVE-2021-28026 is a heap buffer overflow vulnerability in jpeg-xl v0.3.2 that allows arbitrary code execution or denial of service when decoding malicious JPEG XL files. This affects any system using the djxl decoder tool or applications that incorporate the vulnerable jpeg-xl library. Attackers can exploit this by tricking users into opening specially crafted .jxl files.

💻 Affected Systems

Products:
  • jpeg-xl
  • djxl
  • applications using libjxl
Versions: jpeg-xl v0.3.2 and potentially earlier versions
Operating Systems: Linux, Windows, macOS, BSD - any OS running vulnerable jpeg-xl
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability is in the core library, so any application using libjxl for JPEG XL decoding is potentially affected regardless of configuration.

📦 What is this software?

Jpeg Xl by Jpeg

View all CVEs affecting Jpeg Xl →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with remote code execution leading to data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Application crash causing denial of service, potentially leading to data corruption or service disruption.

🟢

If Mitigated

Application crash with no further impact if proper sandboxing and privilege separation are implemented.

🌐 Internet-Facing: MEDIUM - Exploitation requires user interaction to open malicious files, but web applications processing user-uploaded images could be vulnerable.
🏢 Internal Only: LOW - Primarily affects individual workstations where users open image files; limited lateral movement potential.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Proof of concept available in the GitLab issue; exploitation requires user to open a malicious file but no authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: jpeg-xl v0.3.3 and later

Vendor Advisory: https://gitlab.com/wg1/jpeg-xl/-/issues/163

Restart Required: Yes

Instructions:

1. Update jpeg-xl to version 0.3.3 or later. 2. Recompile any applications using libjxl. 3. Restart affected services or applications.

🔧 Temporary Workarounds

Disable JPEG XL processing

all

Temporarily disable JPEG XL file processing in applications until patched

File type blocking

all

Block .jxl files at network perimeter or email gateways

🧯 If You Can't Patch

  • Implement strict file upload validation rejecting .jxl files
  • Run vulnerable applications in sandboxed environments with minimal privileges

🔍 How to Verify

Check if Vulnerable:

Check jpeg-xl version: djxl --version or check libjxl package version

Check Version:

djxl --version 2>&1 | grep -i version

Verify Fix Applied:

Confirm version is 0.3.3 or later and test with known malicious sample

📡 Detection & Monitoring

Log Indicators:

  • Application crashes with segmentation faults when processing image files
  • Unexpected process termination of djxl or applications using libjxl

Network Indicators:

  • Unusual outbound connections after processing image files
  • File uploads with .jxl extension

SIEM Query:

process_name="djxl" AND (event_type="crash" OR exit_code="139")

📊 Metadata

CVE ID: CVE-2021-28026
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: March 5, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-28026, you might also want to check these:

CVE-2019-5684 10.0

This vulnerability in NVIDIA Windows GPU Display Drivers allows specially crafted DirectX shaders to...

Same vulnerability type (CWE-787)
CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2019-5049 10.0

This vulnerability allows an attacker to execute arbitrary code on systems with vulnerable AMD graph...

Same vulnerability type (CWE-787)