Login Sign Up

CVE-2021-29390

7.1 HIGH
Buffer Overflow

📋 TL;DR

CVE-2021-29390 is a heap-based buffer over-read vulnerability in libjpeg-turbo's decompress_smooth_data function that allows reading 2 bytes beyond allocated memory boundaries. This affects any application using libjpeg-turbo version 2.0.90 to process JPEG images, potentially leading to information disclosure or denial of service.

💻 Affected Systems

Products:
  • libjpeg-turbo
  • Any software using libjpeg-turbo library
Versions: libjpeg-turbo version 2.0.90 only
Operating Systems: Linux, Windows, macOS, BSD - all platforms using vulnerable libjpeg-turbo
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems with libjpeg-turbo 2.0.90 specifically; earlier and later versions are not vulnerable.

📦 What is this software?

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Libjpeg Turbo by Libjpeg Turbo

View all CVEs affecting Libjpeg Turbo →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution through memory corruption leading to complete system compromise, though this is unlikely given the limited 2-byte over-read.

🟠

Likely Case

Application crash (denial of service) or information disclosure of adjacent memory contents when processing malicious JPEG files.

🟢

If Mitigated

Limited impact with proper memory protections (ASLR, DEP) and sandboxing, typically resulting in application termination only.

🌐 Internet-Facing: MEDIUM - Applications processing user-uploaded JPEGs from untrusted sources are vulnerable, but exploitation requires specific conditions.
🏢 Internal Only: LOW - Internal systems typically process trusted images, reducing attack surface significantly.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: NO
Unauthenticated Exploit: ⚠️ Yes
Complexity: HIGH

Exploitation requires crafting a specific JPEG file that triggers the buffer over-read; no public exploits have been documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: libjpeg-turbo 2.0.91 and later

Vendor Advisory: https://github.com/libjpeg-turbo/libjpeg-turbo/security/advisories/GHSA-5-3-3-3-3

Restart Required: Yes

Instructions:

1. Update libjpeg-turbo to version 2.0.91 or later using your package manager. 2. Restart all applications using libjpeg-turbo. 3. Rebuild any statically linked applications with the updated library.

🔧 Temporary Workarounds

Disable JPEG processing

all

Temporarily disable JPEG image processing in affected applications until patching is possible

Use alternative JPEG library

linux

Configure applications to use alternative JPEG libraries like libjpeg instead of libjpeg-turbo

sudo apt-get install libjpeg-dev
Reconfigure applications to link against libjpeg instead of libjpeg-turbo

🧯 If You Can't Patch

  • Implement strict input validation for JPEG files before processing
  • Run applications with memory protection features (ASLR, DEP) enabled and in sandboxed environments

🔍 How to Verify

Check if Vulnerable:

Check libjpeg-turbo version: `dpkg -l | grep libjpeg-turbo` or `rpm -qa | grep libjpeg-turbo` or `libjpeg-turbo --version`

Check Version:

libjpeg-turbo --version 2>&1 | head -1

Verify Fix Applied:

Confirm version is 2.0.91 or later: `libjpeg-turbo --version | grep -q '2\.0\.9[1-9]\|2\.[1-9]\|3\.' && echo 'Patched'`

📡 Detection & Monitoring

Log Indicators:

  • Application crashes with segmentation faults when processing JPEG files
  • Memory access violation errors in application logs

Network Indicators:

  • Unusual JPEG file uploads to web applications
  • Repeated failed image processing requests

SIEM Query:

source="application.logs" AND ("segmentation fault" OR "access violation") AND "jpeg"

📊 Metadata

CVE ID: CVE-2021-29390
CVSS v3 Score: 7.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
CWE: CWE-787
Published: August 22, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-29390, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)