CVE-2025-12474
Awaiting Analysis Awaiting Analysis - Queue
Uninitialized Memory Read in libjxl Decoder via Crafted File

Publication date: 2026-02-11

Last updated on: 2026-04-24

Assigner: Google Inc.

Description
A specially-crafted file can cause libjxl's decoder to read pixel data from uninitialized (but allocated) memory. This can be done by causing the decoder to reference an outside-image-bound area in a subsequent patches. An incorrect optimization causes the decoder to omit populating those areas.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-11
Last Modified
2026-04-24
Generated
2026-06-16
AI Q&A
2026-02-11
EPSS Evaluated
2026-06-14
NVD
CVE-2025-12474
EUVD
EUVD-2025-207023
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
libjxl_project libjxl From 0.7.0 (inc) to 0.11.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-908 The product uses or accesses a resource that has not been initialized.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs in the libjxl image decoding library where a specially-crafted file can cause the decoder to read pixel data from uninitialized but allocated memory.

The issue arises because the decoder references areas outside the image bounds in subsequent patches, and due to an incorrect optimization, it fails to populate those areas properly.

Impact Analysis

The impact of this vulnerability is that the libjxl decoder may read uninitialized memory, which could potentially lead to information disclosure or cause instability in applications using the library.

However, the CVSS base score is low (2.3), indicating that the vulnerability has limited impact and requires high attack complexity with user interaction.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate the vulnerability CVE-2025-12474, you should update the libjxl library to include the fix implemented in Pull Request #4495.

This fix improves the low memory rendering pipeline by correcting parameter calculations and refactoring code to enhance stability and correctness under low memory conditions, thereby preventing the decoder from reading uninitialized memory.

Ensure that your libjxl version includes this patch merged on October 29, 2025, to protect against this issue.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-12474. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart