Security update for libjxl SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2026:0648-1 Final 1 1 2026-02-25T16:30:57Z current 2026-02-25T16:30:57Z 2026-02-25T16:30:57Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libjxl This update for libjxl fixes the following issues: - CVE-2025-12474: a specially crafted file can cause the decoder to read pixel data from uninitialized allocated memory (bsc#1258090). - CVE-2026-1837: a specially crafted file can cause the decoder to write pixel data to uninitialized unallocated memory (bsc#1258091). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2026-648,SUSE-SLE-Module-Packagehub-Subpackages-15-SP7-2026-648 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2026/suse-su-20260648-1/ Link for SUSE-SU-2026:0648-1 https://lists.suse.com/pipermail/sle-security-updates/2026-February/024399.html E-Mail link for SUSE-SU-2026:0648-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1258090 SUSE Bug 1258090 https://bugzilla.suse.com/1258091 SUSE Bug 1258091 https://www.suse.com/security/cve/CVE-2025-12474/ SUSE CVE CVE-2025-12474 page https://www.suse.com/security/cve/CVE-2026-1837/ SUSE CVE CVE-2026-1837 page SUSE Linux Enterprise Module for Package Hub 15 SP7 gdk-pixbuf-loader-jxl-0.10.3-150700.4.6.1 gimp-plugin-jxl-0.10.3-150700.4.6.1 jxl-thumbnailer-0.10.3-150700.4.6.1 libjxl-devel-0.10.3-150700.4.6.1 libjxl-tools-0.10.3-150700.4.6.1 libjxl0_10-0.10.3-150700.4.6.1 libjxl0_10-32bit-0.10.3-150700.4.6.1 libjxl0_10-64bit-0.10.3-150700.4.6.1 libjxl-devel-0.10.3-150700.4.6.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP7 libjxl-tools-0.10.3-150700.4.6.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP7 libjxl0_10-0.10.3-150700.4.6.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP7 libjxl0_10-32bit-0.10.3-150700.4.6.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP7 A specially-crafted file can cause libjxl's decoder to read pixel data from uninitialized (but allocated) memory. This can be done by causing the decoder to reference an outside-image-bound area in a subsequent patches. An incorrect optimization causes the decoder to omit populating those areas. CVE-2025-12474 SUSE Linux Enterprise Module for Package Hub 15 SP7:libjxl-devel-0.10.3-150700.4.6.1 SUSE Linux Enterprise Module for Package Hub 15 SP7:libjxl-tools-0.10.3-150700.4.6.1 SUSE Linux Enterprise Module for Package Hub 15 SP7:libjxl0_10-0.10.3-150700.4.6.1 SUSE Linux Enterprise Module for Package Hub 15 SP7:libjxl0_10-32bit-0.10.3-150700.4.6.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260648-1/ https://www.suse.com/security/cve/CVE-2025-12474.html CVE-2025-12474 https://bugzilla.suse.com/1258090 SUSE Bug 1258090 A specially-crafted file can cause libjxl's decoder to write pixel data to uninitialized unallocated memory. Soon after that data from another uninitialized unallocated region is copied to pixel data. This can be done by requesting color transformation of grayscale images to another grayscale color space. Buffers allocated for 1-float-per-pixel are used as if they are allocated for 3-float-per-pixel. That happens only if LCMS2 is used as CMS engine. There is another CMS engine available (selected by build flags). CVE-2026-1837 SUSE Linux Enterprise Module for Package Hub 15 SP7:libjxl-devel-0.10.3-150700.4.6.1 SUSE Linux Enterprise Module for Package Hub 15 SP7:libjxl-tools-0.10.3-150700.4.6.1 SUSE Linux Enterprise Module for Package Hub 15 SP7:libjxl0_10-0.10.3-150700.4.6.1 SUSE Linux Enterprise Module for Package Hub 15 SP7:libjxl0_10-32bit-0.10.3-150700.4.6.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260648-1/ https://www.suse.com/security/cve/CVE-2026-1837.html CVE-2026-1837 https://bugzilla.suse.com/1258091 SUSE Bug 1258091