Ubuntu alert USN-8146-1 (jpeg-xl) [LWN.net]


From:
               noreply+usn-bot@canonical.com
To:
               ubuntu-security-announce@lists.ubuntu.com
Subject:
               [USN-8146-1] libjxl vulnerability
Date:
               Thu, 02 Apr 2026 19:22:30 +0000
Message-ID:
               <E1w8Ncc-0005FI-UJ@lists.ubuntu.com>
==========================================================================
Ubuntu Security Notice USN-8146-1
April 02, 2026

jpeg-xl vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 25.10

Summary:

libjxl could be made to crash or run programs as your login if it
opened a specially crafted file.

Software Description:
- jpeg-xl: Reference codec implementation for JPEG XL compressed raster image format

Details:

Daniel Novomeský discovered that libjxl did not properly manage memory when
decoding certain files. An attacker could use this issue to cause
libjxl to crash, resulting in denial of service, or possibly execute
arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 25.10
  libjpegxl-java                  0.11.1-6ubuntu1.1
  libjxl-tools                    0.11.1-6ubuntu1.1
  libjxl0.11                      0.11.1-6ubuntu1.1

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-8146-1
  CVE-2026-1837

Package Information:
  https://launchpad.net/ubuntu/+source/jpeg-xl/0.11.1-6ubun...


Attachment: signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEE+8neBLO2Hp/ppPlOcpJm3tlzhgEFAmnOwccACgkQcpJm3tlz
hgGhvg/9FU9TBfwH2A+OOh5eyZziOXhoNCdG0PP/Tce+BgQPvH+cv1pyPct2Lmmb
5A/o0yX2av0dGmC7ewHgY8uxxJZ2Bhqkk+gOdk5KPJSlaiN/VderFPlObcAEGVlW
PSw7+Zz8LQbh1QRj+NYmVK+zNnW+MvbQts/oiPvp5egQKMgdcxxCTtN6UYn1xZJN
m+TrIn2RTxGi1b3RMSGjmBq8cJfpbYaaNXuvJ5dgIuQpLbjehxNdhnEw73gMdHY6
StrJirprx6oB40Tx5THDAh2WHBK7VE8vyXRcEUjUU+Jl3Vg0RYsavqpg9bQmm3VE
U8oY6fR8VjkgDnOzqxqH8YB3OcguFZDv8/M7cIrdUFSKD4oCsUMDSr2Q/dQ+9w9u
KI8dRTmJQ2+/kuzD/sa+QKE1sjbYQGnpOlNAbBB0JZfQIxTzQyT8iRH6OogcilHb
8KCAE3axXQKE5Lfqpw0CRWLgXsjdXju7O7sGcS5d6J9/qsCpqXkiEXtLmcNNOroJ
rHnneLCLd4W/679KHkG7ZbJtPDn9ZalOXnpeKdMb8Mh+DdwqSHwFvba6o52yVfnX
mUu9RbT31soVypjF6/fR3NfQ+WSPbBBEkWf4EZiUovCq0p3Vc6NiEzqOfPtPf7MK
AWuADmLiVVaaTT8Ez2jWvLRhgOnc8316SvE8dJxRm/XcbtTMKfA=
=Rx3p
-----END PGP SIGNATURE-----
From:		noreply+usn-bot@canonical.com
To:		ubuntu-security-announce@lists.ubuntu.com
Subject:		[USN-8146-1] libjxl vulnerability
Date:		Thu, 02 Apr 2026 19:22:30 +0000
Message-ID:		<E1w8Ncc-0005FI-UJ@lists.ubuntu.com>