#VU17049 Division by zero in libjpeg - CVE-2018-11212


| Updated: 2020-01-13

Vulnerability identifier: #VU17049

Vulnerability risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-11212

CWE-ID: CWE-369

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
libjpeg
Universal components / Libraries / Libraries used by multiple products

Vendor: libjpeg.sourceforge.net

Description
The vulnerability allows a remote attacker to cause DoS condition.

The weakness exists due to division by zero error within the libjpeg library within the libjpeg-turbo in alloc_sarray() function of jmemmgr.c file. A remote attacker can pass a specially crafted file the to affected application and cause application to crash.

Mitigation
Install update from vendor's website.

Vulnerable software versions

libjpeg: 9a - 9

External links
https://github.com/ChijinZ/security_advisories/tree/master/libjpeg-v9a

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Autodesk InfraWorks
Multiple vulnerabilities in Dell EMC Data Computing Appliance (DCA)
Multiple vulnerabilities in Dell EMC Search
Multiple vulnerabilities in Dell EMC Data Protection Advisor
Multiple vulnerabilities in Dell EMC Integrated Data Protection Appliance
Ubuntu update for libjpeg6b
Multiple vulnerabilities in Oracle Internet Directory
Amazon Linux AMI update for libjpeg-turbo
Red Hat update for libjpeg-turbo
OpenSUSE Linux update for java-1_7_0-openjdk