CVE-2013-6629

The get_sos function in jdmarker.c in (1) libjpeg 6b and (2) libjpeg-turbo through 1.3.0, as used in Google Chrome before 31.0.1650.48, Ghostscript, and other products, does not check for certain duplications of component data during the reading of segments that follow Start Of Scan (SOS) JPEG markers, which allows remote attackers to obtain sensitive information from uninitialized memory locations via a crafted JPEG image.

Published: 2013-11-19 Last update: 2026-04-29 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2013-6629 is rated Moderate Risk (58.3/100): CVSS Medium severity, with high exploitation likelihood (EPSS 10.12%, 95th percentile). EPSS ranks this CVE among the most likely to be exploited in the near term. EPSS rose +9.81% over the last day, indicating growing attacker interest. High exploitation likelihood—assess exposure and prioritize remediation.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2013-6629

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 0.31% 10.12% +9.81%
2 2026-05-19 0.21% 0.31% +0.10%
3 2025-07-09 0.21%

Full EPSS history (11 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2013-6629

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
5.0 2.0 MEDIUM
AV:N/AC:L/Au:N/C:P/I:N/A:N Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:L)
Exploitation conditions are straightforward and predictable.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:P)
Partial confidentiality impact.
Integrity impact (I:N)
No integrity impact.
Availability impact (A:N)
No availability impact.
 10.0 2.9 [email protected]

Weakness enumeration for CVE-2013-6629

OS Trackers for CVE-2013-6629

vendor priority summary link
debian low CVE-2013-6629 low priority: Debian including 2 source packages (libjpeg-turbo, libjpeg6b), 6 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 6. https://security-tracker.debian.org/tracker/CVE-2013-6629
gentoo normal CVE-2013-6629: 2 GLSA(s) (201406-32, 201606-03), 2 atom(s) (dev-java/icedtea-bin, media-libs/libjpeg-turbo); latest impact normal. https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2013-6629
redhat medium https://access.redhat.com/security/cve/CVE-2013-6629
suse medium CVE-2013-6629 severity moderate: SUSE including 133 source package names (MozillaFirefox-140.2.0-160000.1.2, MozillaFirefox-31.1.0esr-1.20, …), 245 product×package rows across 47 product lines (HPE Helion OpenStack 8, SUSE Linux Enterprise Desktop 11 SP3, … (47 product lines)): Fixed 202, Known Not Affected 43. https://www.suse.com/security/cve/CVE-2013-6629/
ubuntu medium CVE-2013-6629 medium priority: Ubuntu including 5 source packages (firefox, libjpeg-turbo, libjpeg6b, openjdk-7, thunderbird), 30 status rows across 7 suites (lucid, precise, quantal, raring, saucy, trusty, upstream): released 21, ignored 5, DNE 3, needed 1. https://ubuntu.com/security/CVE-2013-6629

Affected software / configurations for CVE-2013-6629

Vendor Product Version Raw CPE
google chrome < 31.0.1650.48 cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
oracle solaris 11.3 cpe:2.3:o:oracle:solaris:11.3:*:*:*:*:*:*:*
artifex gpl_ghostscript < 9.03 cpe:2.3:a:artifex:gpl_ghostscript:*:*:*:*:*:*:*:*
libjpeg-turbo libjpeg-turbo < 1.3.1 cpe:2.3:a:libjpeg-turbo:libjpeg-turbo:*:*:*:*:*:*:*:*
fedoraproject fedora 18 cpe:2.3:o:fedoraproject:fedora:18:*:*:*:*:*:*:*
fedoraproject fedora 19 cpe:2.3:o:fedoraproject:fedora:19:*:*:*:*:*:*:*
fedoraproject fedora 20 cpe:2.3:o:fedoraproject:fedora:20:*:*:*:*:*:*:*
opensuse opensuse 12.2 cpe:2.3:o:opensuse:opensuse:12.2:*:*:*:*:*:*:*
opensuse opensuse 12.3 cpe:2.3:o:opensuse:opensuse:12.3:*:*:*:*:*:*:*
opensuse opensuse 13.1 cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*
canonical ubuntu_linux 10.04 cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:-:*:*:*
canonical ubuntu_linux 12.04 cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*
canonical ubuntu_linux 12.10 cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*
canonical ubuntu_linux 13.04 cpe:2.3:o:canonical:ubuntu_linux:13.04:*:*:*:*:*:*:*
canonical ubuntu_linux 13.10 cpe:2.3:o:canonical:ubuntu_linux:13.10:*:*:*:*:*:*:*
debian debian_linux 7.0 cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
debian debian_linux 8.0 cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
mozilla firefox < 24.2 cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
mozilla firefox < 26.0 cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
mozilla seamonkey < 2.23 cpe:2.3:a:mozilla:seamonkey:*:*:*:*:*:*:*:*
mozilla thunderbird < 24.2.0 cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*

References for CVE-2013-6629

URL Tags
http://advisories.mageia.org/MGASA-2013-0333.html Third Party Advisory
http://archives.neohapsis.com/archives/fulldisclosure/2013-11/0080.html Broken Link
http://bugs.ghostscript.com/show_bug.cgi?id=686980 Issue Tracking Vendor Advisory
http://googlechromereleases.blogspot.com/2013/11/stable-channel-update.html Vendor Advisory
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705 Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2013-December/123437.html Mailing List Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2013-December/124108.html Mailing List Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2013-December/124257.html Mailing List Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2014-January/125470.html Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2013-11/msg00025.html Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2013-11/msg00026.html Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2013-12/msg00002.html Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-updates/2013-12/msg00085.html Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-updates/2013-12/msg00086.html Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-updates/2013-12/msg00087.html Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-updates/2013-12/msg00119.html Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-updates/2013-12/msg00120.html Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-updates/2013-12/msg00121.html Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-updates/2014-01/msg00002.html Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-updates/2014-01/msg00042.html Mailing List Third Party Advisory
http://marc.info/?l=bugtraq&m=140852886808946&w=2 Issue Tracking Mailing List Third Party Advisory
http://marc.info/?l=bugtraq&m=140852974709252&w=2 Issue Tracking Mailing List Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2013-1803.html Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2013-1804.html Third Party Advisory
http://secunia.com/advisories/56175 Not Applicable
http://secunia.com/advisories/58974 Not Applicable
http://secunia.com/advisories/59058 Not Applicable
http://security.gentoo.org/glsa/glsa-201406-32.xml Third Party Advisory
http://support.apple.com/kb/HT6150 Third Party Advisory
http://support.apple.com/kb/HT6162 Third Party Advisory
http://support.apple.com/kb/HT6163 Third Party Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21672080 Third Party Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21676746 Broken Link
http://www.debian.org/security/2013/dsa-2799 Third Party Advisory
http://www.mandriva.com/security/advisories?name=MDVSA-2013:273 Broken Link
http://www.mozilla.org/security/announce/2013/mfsa2013-116.html Third Party Advisory
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html Third Party Advisory
http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html Third Party Advisory
http://www.securityfocus.com/bid/63676 Broken Link Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1029470 Broken Link Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1029476 Broken Link Third Party Advisory VDB Entry
http://www.ubuntu.com/usn/USN-2052-1 Third Party Advisory
http://www.ubuntu.com/usn/USN-2053-1 Third Party Advisory
http://www.ubuntu.com/usn/USN-2060-1 Third Party Advisory
https://access.redhat.com/errata/RHSA-2014:0413 Third Party Advisory
https://access.redhat.com/errata/RHSA-2014:0414 Third Party Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=891693 Issue Tracking Patch Third Party Advisory
https://code.google.com/p/chromium/issues/detail?id=258723 Issue Tracking Third Party Advisory
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2013-6629 Patch Third Party Advisory
https://security.gentoo.org/glsa/201606-03 Third Party Advisory
https://src.chromium.org/viewvc/chrome?revision=229729&view=revision Patch Third Party Advisory
https://www.ibm.com/support/docview.wss?uid=swg21675973 Third Party Advisory
cvelogic Threat Intelligence