CVE-2025-12474
Publication date 11 February 2026
Last updated 10 July 2026
Ubuntu priority
Cvss 3 Severity Score
Description
A specially-crafted file can cause libjxl's decoder to read pixel data from uninitialized (but allocated) memory. This can be done by causing the decoder to reference an outside-image-bound area in a subsequent patches. An incorrect optimization causes the decoder to omit populating those areas.
Why is this CVE low priority?
Vulnerability enables reading uninitialized memory when decoding a specially crafted file
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| graphicsmagick | 26.04 LTS resolute |
Needs evaluation
|
| 24.04 LTS noble |
Needs evaluation
|
|
| 22.04 LTS jammy |
Needs evaluation
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| 16.04 LTS xenial | Ignored end of ESM support, was needs-triage | |
| 14.04 LTS trusty |
Needs evaluation
|
Severity score breakdown
CVSS version:
Base score
2.3 · Low
Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
Base score
4.4 · Medium
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N