jpeg CVE Vulnerabilities & Metrics

Focus on jpeg vulnerabilities and metrics.

Last updated: 08 Mar 2025, 23:25 UTC

About jpeg Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with jpeg. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total jpeg CVEs: 16
Earliest CVE date: 05 Mar 2021, 14:15 UTC
Latest CVE date: 13 Jul 2023, 23:15 UTC

Latest CVE reference: CVE-2023-37837

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 0

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): -100.0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): -100.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical jpeg CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 2.84

Max CVSS: 6.8

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	6
4.0-6.9	10
7.0-8.9	0
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS jpeg CVEs

These are the five CVEs with the highest CVSS scores for jpeg, sorted by severity first and recency.

CVE-2021-28026 jpeg Published on 05 Mar 2021, 14:15 UTC (CVSS: 6.8)
jpeg-xl v0.3.2 is affected by a heap buffer overflow in /lib/jxl/coeff_order.cc ReadPermutation. When decoding a malicous jxl file using djxl, an attacker can trigger arbitrary code execution or a denial of service.
CVE-2022-32978 jpeg Published on 10 Jun 2022, 15:15 UTC (CVSS: 4.3)
There is an assertion failure in SingleComponentLSScan::ParseMCU in singlecomponentlsscan.cpp in libjpeg before 1.64 via an empty JPEG-LS scan.
CVE-2022-31796 jpeg Published on 02 Jun 2022, 14:15 UTC (CVSS: 4.3)
libjpeg 1.63 has a heap-based buffer over-read in HierarchicalBitmapRequester::FetchRegion in hierarchicalbitmaprequester.cpp because the MCU size can be different between allocation and use.
CVE-2021-39520 jpeg Published on 20 Sep 2021, 16:15 UTC (CVSS: 4.3)
An issue was discovered in libjpeg through 2020021. A NULL pointer dereference exists in the function BlockBitmapRequester::PushReconstructedData() located in blockbitmaprequester.cpp. It allows an attacker to cause Denial of Service.
CVE-2021-39519 jpeg Published on 20 Sep 2021, 16:15 UTC (CVSS: 4.3)
An issue was discovered in libjpeg through 2020021. A NULL pointer dereference exists in the function BlockBitmapRequester::PullQData() located in blockbitmaprequester.cpp It allows an attacker to cause Denial of Service.

All CVEs for jpeg

CVE-2023-37837 jpeg vulnerability CVSS: 0 13 Jul 2023, 23:15 UTC

libjpeg commit db33a6e was discovered to contain a heap buffer overflow via LineBitmapRequester::EncodeRegion at linebitmaprequester.cpp. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted file.

CVE-2023-37836 jpeg vulnerability CVSS: 0 13 Jul 2023, 23:15 UTC

libjpeg commit db33a6e was discovered to contain a reachable assertion via BitMapHook::BitMapHook at bitmaphook.cpp. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted file.

CVE-2022-37770 jpeg vulnerability CVSS: 0 18 Aug 2022, 20:15 UTC

libjpeg commit 281daa9 was discovered to contain a segmentation fault via LineMerger::GetNextLowpassLine at linemerger.cpp. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted file.

CVE-2022-37769 jpeg vulnerability CVSS: 0 18 Aug 2022, 20:15 UTC

libjpeg commit 281daa9 was discovered to contain a segmentation fault via HuffmanDecoder::Get at huffmandecoder.hpp. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted file.

CVE-2022-37768 jpeg vulnerability CVSS: 0 18 Aug 2022, 20:15 UTC

libjpeg commit 281daa9 was discovered to contain an infinite loop via the component Frame::ParseTrailer.

CVE-2022-35166 jpeg vulnerability CVSS: 0 18 Aug 2022, 05:15 UTC

libjpeg commit 842c7ba was discovered to contain an infinite loop via the component JPEG::ReadInternal.

CVE-2022-32978 jpeg vulnerability CVSS: 4.3 10 Jun 2022, 15:15 UTC

There is an assertion failure in SingleComponentLSScan::ParseMCU in singlecomponentlsscan.cpp in libjpeg before 1.64 via an empty JPEG-LS scan.

CVE-2022-31796 jpeg vulnerability CVSS: 4.3 02 Jun 2022, 14:15 UTC

libjpeg 1.63 has a heap-based buffer over-read in HierarchicalBitmapRequester::FetchRegion in hierarchicalbitmaprequester.cpp because the MCU size can be different between allocation and use.

CVE-2021-39520 jpeg vulnerability CVSS: 4.3 20 Sep 2021, 16:15 UTC

An issue was discovered in libjpeg through 2020021. A NULL pointer dereference exists in the function BlockBitmapRequester::PushReconstructedData() located in blockbitmaprequester.cpp. It allows an attacker to cause Denial of Service.

CVE-2021-39519 jpeg vulnerability CVSS: 4.3 20 Sep 2021, 16:15 UTC

An issue was discovered in libjpeg through 2020021. A NULL pointer dereference exists in the function BlockBitmapRequester::PullQData() located in blockbitmaprequester.cpp It allows an attacker to cause Denial of Service.

CVE-2021-39518 jpeg vulnerability CVSS: 4.3 20 Sep 2021, 16:15 UTC

An issue was discovered in libjpeg through 2020021. LineBuffer::FetchRegion() in linebuffer.cpp has a heap-based buffer overflow.

CVE-2021-39517 jpeg vulnerability CVSS: 4.3 20 Sep 2021, 16:15 UTC

An issue was discovered in libjpeg through 2020021. A NULL pointer dereference exists in the function BlockBitmapRequester::ReconstructUnsampled() located in blockbitmaprequester.cpp. It allows an attacker to cause Denial of Service.

CVE-2021-39516 jpeg vulnerability CVSS: 4.3 20 Sep 2021, 16:15 UTC

An issue was discovered in libjpeg through 2020021. A NULL pointer dereference exists in the function HuffmanDecoder::Get() located in huffmandecoder.hpp. It allows an attacker to cause Denial of Service.

CVE-2021-39515 jpeg vulnerability CVSS: 4.3 20 Sep 2021, 16:15 UTC

An issue was discovered in libjpeg through 2020021. A NULL pointer dereference exists in the function SampleInterleavedLSScan::ParseMCU() located in sampleinterleavedlsscan.cpp. It allows an attacker to cause Denial of Service.

CVE-2021-39514 jpeg vulnerability CVSS: 4.3 20 Sep 2021, 16:15 UTC

An issue was discovered in libjpeg through 2020021. An uncaught floating point exception in the function ACLosslessScan::ParseMCU() located in aclosslessscan.cpp. It allows an attacker to cause Denial of Service.

CVE-2021-28026 jpeg vulnerability CVSS: 6.8 05 Mar 2021, 14:15 UTC

jpeg-xl v0.3.2 is affected by a heap buffer overflow in /lib/jxl/coeff_order.cc ReadPermutation. When decoding a malicous jxl file using djxl, an attacker can trigger arbitrary code execution or a denial of service.