GHSA-2v8p-fqpx-2q3wMediumCVSS 6.2Disclosed before NVD

jxl-oxide: integer subtraction overflow panic in cluster_from_table via crafted JXL input (DoS)

Published
July 2, 2026
Last Modified
July 2, 2026

📋 Description

Summary

Logic bug in decode_simple_table_slow may cause integer arithmetic overflow when decoding Modular image with certain kind of MA tree, which may panic with overflow-checks enabled.

Impact

Denial of service: any application passing untrusted JXL data to JxlImage::render_frame (or equivalent) can be crashed. Affects all builds with overflow checks enabled, which includes debug builds and any release build that sets overflow-checks = true in Cargo.toml or [profile.*].

No memory corruption is possible — the panic fires before any unsafe code is reached.

🎯 Affected products1

  • rust/jxl-modular:<= 0.11.2

🔗 References (2)