cve 2023 2804

CVE-2023-2804 is a heap-based buffer overflow vulnerability in libjpeg-turbo's merged upsampling code, specifically affecting 12-bit JPEG support. The flaw resides in the h2v2_merged_upsample_internal() function in jdmrgext.c, where unchecked sample values can cause out-of-bounds heap access when processing specially crafted 12-bit lossless JPEG images. This can lead to crashes or memory corruption, posing risks across desktop, server, and embedded systems. Discussions on WindowsForum cover the technical details of the vulnerability and provide patch guidance for mitigation. Users are advised to update libjpeg-turbo to version 3.0 or later to address this issue.