CVE-2024-11403 – This vulnerability in LibJXL allows attackers t... (How to Fix)

Q: What is the severity of CVE-2024-11403?

CVE-2024-11403 has a CVSS score of 9.8 (CRITICAL). This vulnerability in LibJXL allows attackers to trigger out-of-bounds memory operations when processing untrusted JPEG files during JPEG XL recompression. It affects systems using vulnerable versions of libjxl or jpegli for JPEG XL encoding, potentially leading to remote code execution or information disclosure. The high CVSS score indicates critical severity requiring immediate attention.

📋 TL;DR

This vulnerability in LibJXL allows attackers to trigger out-of-bounds memory operations when processing untrusted JPEG files during JPEG XL recompression. It affects systems using vulnerable versions of libjxl or jpegli for JPEG XL encoding, potentially leading to remote code execution or information disclosure. The high CVSS score indicates critical severity requiring immediate attention.

💻 Affected Systems

Products:

libjxl
jpegli

Versions: All versions prior to commit 9cc451b91b74ba470fd72bd48c121e9f33d24c99

Operating Systems: All platforms where libjxl/jpegli is installed

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability triggers when using JxlEncoderAddJPEGFrame on untrusted JPEG input. Both libjxl and jpegli components are affected.

📦 What is this software?

Libjxl by Libjxl Project

View all CVEs affecting Libjxl →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Application crash (denial of service) or memory corruption leading to information disclosure from uninitialized memory.

🟢

If Mitigated

Limited impact if proper input validation and memory protections are in place, but still potential for information disclosure.

🌐 Internet-Facing: HIGH - Attackers can exploit by uploading malicious JPEG files to web applications using vulnerable libraries.

🏢 Internal Only: MEDIUM - Internal users could exploit via file processing applications, but requires user interaction or automated processing.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting malicious JPEG files but no authentication needed. The vulnerability is in parsing logic, making reliable exploitation moderately complex.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Commit 9cc451b91b74ba470fd72bd48c121e9f33d24c99 or later

Vendor Advisory: https://github.com/libjxl/libjxl/commit/9cc451b91b74ba470fd72bd48c121e9f33d24c99

Restart Required: Yes

Instructions:

1. Update libjxl to latest version from official repository. 2. Rebuild any applications using libjxl. 3. Restart affected services. 4. For distributions: update package via package manager.

🔧 Temporary Workarounds

Disable JPEG recompression

all

Avoid using JxlEncoderAddJPEGFrame function on untrusted input

Modify application code to avoid JxlEncoderAddJPEGFrame for untrusted files

Input validation

all

Implement strict JPEG file validation before processing

Add file validation layer using separate JPEG validation library

🧯 If You Can't Patch

Implement strict file upload restrictions for JPEG files
Isolate JPEG processing in sandboxed containers with minimal privileges

🔍 How to Verify

Check if Vulnerable:

Check libjxl version or commit hash. If using source, verify commit is before 9cc451b91b74ba470fd72bd48c121e9f33d24c99.

Check Version:

jxl --version or check package manager: dpkg -l | grep libjxl or rpm -qa | grep libjxl

Verify Fix Applied:

Verify libjxl version includes commit 9cc451b91b74ba470fd72bd48c121e9f33d24c99 or later.

📡 Detection & Monitoring

Log Indicators:

Application crashes with segmentation faults
Memory corruption errors in application logs
Unusual JPEG file processing failures

Network Indicators:

Multiple failed JPEG upload attempts
Unusual JPEG file sizes or patterns in uploads

SIEM Query:

source="application_logs" AND ("segmentation fault" OR "memory corruption" OR "out of bounds") AND process="*jxl*"

📊 Metadata

CVE ID: CVE-2024-11403

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-125

Published: November 25, 2024

Last Updated: July 24, 2025

🔗 References

https://github.com/libjxl/libjxl/commit/9cc451b91b74ba470fd72bd48c121e9f33d24c99 Patch

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-11403, you might also want to check these: