Login Sign Up

CVE-2023-35790

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability in libjxl (JPEG XL library) allows an integer underflow during patch dictionary decoding, which can cause denial of service through infinite loops. It affects any application or system using vulnerable versions of libjxl to process JPEG XL images. Attackers can exploit this by providing malicious JPEG XL files.

💻 Affected Systems

Products:
  • libjxl
  • Applications using libjxl library
Versions: All versions before 0.8.2
Operating Systems: All platforms where libjxl is used
Default Config Vulnerable: ⚠️ Yes
Notes: Any application that uses libjxl to decode JPEG XL images is vulnerable when processing malicious files.

📦 What is this software?

Libjxl by Libjxl Project

View all CVEs affecting Libjxl →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system resource exhaustion leading to denial of service, potentially crashing applications or systems processing malicious JPEG XL files.

🟠

Likely Case

Application hangs or crashes when processing specially crafted JPEG XL images, causing service disruption.

🟢

If Mitigated

Minimal impact with proper input validation and sandboxing, though processing may still fail.

🌐 Internet-Facing: MEDIUM - Web applications processing user-uploaded images could be affected, but requires specific JPEG XL processing.
🏢 Internal Only: LOW - Requires processing of malicious JPEG XL files, which is less common in internal workflows.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires providing a malicious JPEG XL file to vulnerable systems. No authentication needed if file processing is accessible.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.8.2 and later

Vendor Advisory: https://github.com/libjxl/libjxl/releases/tag/v0.8.2

Restart Required: Yes

Instructions:

1. Update libjxl to version 0.8.2 or later. 2. Rebuild any applications using libjxl. 3. Restart affected services.

🔧 Temporary Workarounds

Disable JPEG XL processing

all

Temporarily disable JPEG XL image processing in applications

Application-specific configuration to reject JPEG XL files

Input validation

all

Implement strict validation of JPEG XL files before processing

Implement file signature validation and size limits

🧯 If You Can't Patch

  • Implement strict file upload restrictions for JPEG XL files
  • Run libjxl processing in isolated containers with resource limits

🔍 How to Verify

Check if Vulnerable:

Check libjxl version: ldd --version | grep libjxl or check application dependencies

Check Version:

pkg-config --modversion libjxl || ldd --version | grep libjxl

Verify Fix Applied:

Verify libjxl version is 0.8.2 or higher: pkg-config --modversion libjxl

📡 Detection & Monitoring

Log Indicators:

  • Application hangs or crashes when processing JPEG XL files
  • High CPU usage from image processing tasks

Network Indicators:

  • Unusual JPEG XL file uploads to web applications

SIEM Query:

source="application_logs" AND ("libjxl" OR "JPEG XL") AND ("crash" OR "hang" OR "high cpu")

📊 Metadata

CVE ID: CVE-2023-35790
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-191
Published: June 16, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-35790, you might also want to check these:

CVE-2025-29909 9.8

A heap buffer overflow vulnerability in CryptoLib's Crypto_TC_ApplySecurity() function allows attack...

Same vulnerability type (CWE-191)
CVE-2020-3691 9.8

This vulnerability allows integer underflow in Qualcomm Snapdragon audio processing, potentially lea...

Same vulnerability type (CWE-191)
CVE-2023-21708 9.8

This is a critical Remote Procedure Call Runtime vulnerability that allows unauthenticated attackers...

Same vulnerability type (CWE-191)