JLSEC-2026-126 Medium 4.5
In libavif before 1.3.0, avifImageRGBToYUV in reformat.c has integer overflows in multiplications...
In libavif before 1.3.0, avifImageRGBToYUV in reformat.c has integer overflows in multiplications involving rgbRowBytes, yRowBytes, uRowBytes, and vRowBytes.
References
- https://github.com/AOMediaCodec/libavif/commit/64d956ed5a602f78cebf29da023280944ee92efd
- https://github.com/AOMediaCodec/libavif/pull/2769
- https://github.com/AOMediaCodec/libavif/security/advisories/GHSA-762c-2538-h844
- https://lists.debian.org/debian-lts-announce/2025/05/msg00031.html
- https://nvd.nist.gov/vuln/detail/CVE-2025-48175
- https://github.com/advisories/GHSA-44mp-2g68-7wvv