{"id":"CVE-2023-2804","details":"A heap-based buffer overflow issue was discovered in libjpeg-turbo in h2v2_merged_upsample_internal() function of jdmrgext.c file. The vulnerability can only be exploited with 12-bit data precision for which the range of the sample data type exceeds the valid sample range, hence, an attacker could craft a 12-bit lossless JPEG image that contains out-of-range 12-bit samples. An application attempting to decompress such image using merged upsampling would lead to segmentation fault or buffer overflows, causing an application to crash.","modified":"2026-04-12T01:01:17.122415Z","published":"2023-05-25T22:15:09.443Z","related":["CGA-34c5-qwrj-fq2c","openSUSE-SU-2024:13552-1"],"references":[{"type":"ADVISORY","url":"https://access.redhat.com/security/cve/CVE-2023-2804"},{"type":"ADVISORY","url":"https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01006.html"},{"type":"FIX","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2208447"},{"type":"FIX","url":"https://github.com/libjpeg-turbo/libjpeg-turbo/commit/9f756bc67a84d4566bf74a0c2432aa55da404021"},{"type":"FIX","url":"https://github.com/libjpeg-turbo/libjpeg-turbo/issues/668#issuecomment-1492586118"},{"type":"FIX","url":"https://github.com/libjpeg-turbo/libjpeg-turbo/issues/675"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/libjpeg-turbo/libjpeg-turbo","events":[{"introduced":"0"},{"last_affected":"fd93d98a959ac3700e2da07310a44867c9c46f03"},{"fixed":"9f756bc67a84d4566bf74a0c2432aa55da404021"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"2.1.90"}]}}],"versions":["0.0.90","0.0.91","0.0.93","1.0.0","1.0.1","1.0.90","1.1.90","1.2.90","1.3.90","1.4.90","1.5.0","1.5.90","2.0.0","2.0.90","2.1.0","2.1.1","2.1.2","2.1.3","2.1.90","2.1.91","jpeg-1","jpeg-2","jpeg-3","jpeg-4","jpeg-4a","jpeg-5","jpeg-5a","jpeg-5b","jpeg-6","jpeg-6a","jpeg-6b"],"database_specific":{"vanir_signatures_modified":"2026-04-12T01:01:17Z","vanir_signatures":[{"deprecated":false,"signature_type":"Function","target":{"file":"jdlossls.c","function":"noscale"},"id":"CVE-2023-2804-2cf6521f","signature_version":"v1","digest":{"length":138,"function_hash":"45893349253428892599678605874317640076"},"source":"https://github.com/libjpeg-turbo/libjpeg-turbo/commit/9f756bc67a84d4566bf74a0c2432aa55da404021"},{"deprecated":false,"signature_type":"Function","target":{"file":"jdlossls.c","function":"simple_upscale"},"id":"CVE-2023-2804-41bd6fca","signature_version":"v1","digest":{"length":153,"function_hash":"112376369083220100668902696318947702360"},"source":"https://github.com/libjpeg-turbo/libjpeg-turbo/commit/9f756bc67a84d4566bf74a0c2432aa55da404021"},{"deprecated":false,"signature_type":"Line","target":{"file":"jdlossls.c"},"id":"CVE-2023-2804-f12af71f","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["264453119585316427186485396598254512130","65582456727176366817468335422094827974","30055463991005291524467097402588854178","310651516989145847112025202950843573985","107740660841104471832336593730836883285","224351062765144820444831876706738103013","320633655483827400771117174154721494510","198497929741904313163517209949287782005","211719071145529734302749623535903388273","8154639209289213855050992008852297386","271144142464856104214596135343707024446"]},"source":"https://github.com/libjpeg-turbo/libjpeg-turbo/commit/9f756bc67a84d4566bf74a0c2432aa55da404021"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-2804.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}]}