A heap‑based buffer overflow exists in libjpeg‑turbo’s h2v2_merged_upsample_internal() function when processing 12‑bit lossless JPEG images. An attacker could craft an image containing out‑of‑range 12‑bit samples that, when decompressed with merged upsampling enabled, may trigger a segmentation fault or buffer overflow, resulting in an application crash.
According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability? Any authenticated attacker could trigger this vulnerability. It does not require admin or other elevated privileges. How could an attacker exploit this vulnerability? An authenticated attacker could exploit the vulnerability by uploading a malicious TIFF file to a server. Why is Microsoft addressing CVE‑2023‑2804, a vulnerability originally reported by Red Hat? Microsoft uses the open‑source libjpeg‑turbo component inside certain Windows imaging components. The vulnerability was fixed upstream in libjpeg‑turbo 3.0.2 (3.0.2 release notes), so Microsoft updated our internal copy accordingly. Customers do not need to take action—this fix is delivered through Microsoft servicing. What version contains the fix? Microsoft integrated the upstream fix from libjpeg‑turbo 3.0.2, and later builds may include the newer 3.1.3 upstream version (latest release). Customers receive the corrected version automatically through Windows updates.
Hussein Alrubaye with Microsoft