Skip to main content

Imager CVE-2026-13705

| EUVDEUVD-2026-41872 HIGH
Out-of-bounds Read (CWE-125)
2026-07-06 9b29abf9-4ab0-4765-b253-1875cd9b441e GHSA-pmgh-mrwc-qw67
7.1
CVSS 3.1 · Vendor: 9b29abf9-4ab0-4765-b253-1875cd9b441e
Share

Severity by source

Vendor (9b29abf9-4ab0-4765-b253-1875cd9b441e) PRIMARY
7.1 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
vuln.today AI
6.1 MEDIUM

Local file must be fed to the parser (AV:L, UI:R, PR:N); dominant impact is a crash (A:H), with only limited over-read exposure (C:L) and no integrity effect.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (9b29abf9-4ab0-4765-b253-1875cd9b441e).

CVSS VectorVendor: 9b29abf9-4ab0-4765-b253-1875cd9b441e

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jul 06, 2026 - 20:23 vuln.today
CVSS changed
Jul 06, 2026 - 20:22 NVD
7.1 (HIGH)
Patch available
Jul 06, 2026 - 14:02 EUVD
CVE Published
Jul 06, 2026 - 13:16 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Imager versions before 1.032 for Perl have a heap out-of-bounds read in the bundled Imager::File::SGI reader via a 16-bit RLE literal run in read_rgb_16_rle.

read_rgb_16_rle guards each literal run with if (count > data_left), but count is a pixel count while every 16-bit sample consumes two bytes. The copy loop reads inp[0] * 256 + inp[1] and advances two bytes per pixel, so a run with data_left / 2 < count <= data_left passes the guard yet consumes 2 * count bytes and reads past the end of the buffer. The 8-bit path is unaffected because there one pixel is one byte.

Reading a crafted SGI image through Imager->read triggers the over-read before the parser rejects the malformed image, which can crash the process.

AnalysisAI

Heap out-of-bounds read in the Perl Imager module (versions before 1.032) lets a crafted SGI image over-read past a decode buffer and crash the process. The flaw lives in the bundled Imager::File::SGI reader's read_rgb_16_rle routine, where a 16-bit RLE literal run is length-checked in pixels but consumed as two bytes per pixel, defeating the bounds guard. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious SGI image
Delivery
Deliver to image-parsing app
Exploit
App calls Imager->read
Execution
16-bit RLE guard bypassed in read_rgb_16_rle
Persist
Heap over-read past buffer
Impact
Process crash (DoS)

Vulnerability AssessmentAI

Exploitation Exploitation requires the target to parse an attacker-supplied SGI/RGB image through Imager->read using the bundled Imager::File::SGI reader, and the malicious file must contain a 16-bit RLE literal run with a pixel count in the window data_left/2 < count <= data_left; the 8-bit RLE path cannot trigger it. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H, score 7.1) frames this as a local, low-complexity, unauthenticated issue that requires user interaction - specifically, the application or user must feed a malicious SGI file to Imager->read. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts an SGI image containing a 16-bit RLE literal run whose pixel count falls between data_left/2 and data_left, then delivers it to a target that decodes images with Imager (for example, an avatar or document upload endpoint). When the application calls Imager->read on the file, the reader over-reads past the buffer and crashes the worker process before the malformed image is rejected. …
Remediation Upgrade to Imager 1.032 or later, which contains the fix - Vendor-released patch: version 1.032, corresponding to upstream commit f28de02770dfc26ffbdc32048970ed84babbf730 (patch at https://github.com/tonycoz/imager/commit/f28de02770dfc26ffbdc32048970ed84babbf730.patch). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify and inventory all systems running Perl Imager module, documenting version numbers and deployment scope. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-13705 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy