VIR Vulnerability Intelligence Relay

CVE-2025-70103

high
Published 2026-05-27 Β· Modified 2026-05-30
πŸ’¬ Discuss on Community ✚ Propose mitigation
CVSS v3
7.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CVSS v4 NEW
β€”
not yet in upstream
VIR risk
7.3

Description

Heap buffer overflow vulnerability in libjxl 0.12.0 via crafted PBM images to the jxl::extras::DecodeImagePNM function in file lib/extras/dec/pnm.cc.

Predictions

Exploit likelihood
82%
Patch ETA
β€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Debian Security Tracker Β· View original β†— Β· DFSG

CVE-2025-70103 NameCVE-2025-70103 DescriptionHeap buffer overflow vulnerability in libjxl 0.12.0 via crafted PBM images to the jxl::extras::DecodeImagePNM function in file lib/extras/dec/pnm.cc. SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) Vulnerable and fixed packages The table…

CVE-2025-70103

NameCVE-2025-70103
DescriptionHeap buffer overflow vulnerability in libjxl 0.12.0 via crafted PBM images to the jxl::extras::DecodeImagePNM function in file lib/extras/dec/pnm.cc.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
jpeg-xl (PTS)bookworm, bookworm (security)0.7.0-10+deb12u1vulnerable
trixie0.11.2-0.1~deb13u1vulnerable
forky, sid0.11.2-5vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
jpeg-xlsource(unstable)(unfixed)

Notes

https://www.openwall.com/lists/oss-security/2026/05/30/7
https://github.com/libjxl/libjxl/issues/4337
https://github.com/libjxl/libjxl/pull/4380
Fixed by: https://github.com/libjxl/libjxl/commit/49fb89f23473e57fa1dac416adce7c7679e5d051

Home - Debian Security - Source (Git)

Apply commands

text fix
Notes
https://www.openwall.com/lists/oss-security/2026/05/30/7https://github.com/libjxl/libjxl/issues/4337https://github.com/libjxl/libjxl/pull/4380Fixed by: https://github.com/libjxl/libjxl/commit/49fb89f23473e57fa1dac416adce7c7679e5d051

OS impact
debian Debian Affected 4 releases
VersionStatusFixed in
trixie Affected β€”
sid Affected β€”
forky Affected β€”
bookworm Affected β€”
suse SUSE Affected 1 release
VersionStatusFixed in
β€” Affected β€”

References

CWEs

CWE-122

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.