Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
Local file must be fed to the parser (AV:L, UI:R, PR:N); dominant impact is a crash (A:H), with only limited over-read exposure (C:L) and no integrity effect.
Primary rating from Vendor (9b29abf9-4ab0-4765-b253-1875cd9b441e).
CVSS VectorVendor: 9b29abf9-4ab0-4765-b253-1875cd9b441e
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
Imager versions before 1.032 for Perl have a heap out-of-bounds read in the bundled Imager::File::SGI reader via a 16-bit RLE literal run in read_rgb_16_rle.
read_rgb_16_rle guards each literal run with if (count > data_left), but count is a pixel count while every 16-bit sample consumes two bytes. The copy loop reads inp[0] * 256 + inp[1] and advances two bytes per pixel, so a run with data_left / 2 < count <= data_left passes the guard yet consumes 2 * count bytes and reads past the end of the buffer. The 8-bit path is unaffected because there one pixel is one byte.
Reading a crafted SGI image through Imager->read triggers the over-read before the parser rejects the malformed image, which can crash the process.
AnalysisAI
Heap out-of-bounds read in the Perl Imager module (versions before 1.032) lets a crafted SGI image over-read past a decode buffer and crash the process. The flaw lives in the bundled Imager::File::SGI reader's read_rgb_16_rle routine, where a 16-bit RLE literal run is length-checked in pixels but consumed as two bytes per pixel, defeating the bounds guard. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target to parse an attacker-supplied SGI/RGB image through Imager->read using the bundled Imager::File::SGI reader, and the malicious file must contain a 16-bit RLE literal run with a pixel count in the window data_left/2 < count <= data_left; the 8-bit RLE path cannot trigger it. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H, score 7.1) frames this as a local, low-complexity, unauthenticated issue that requires user interaction - specifically, the application or user must feed a malicious SGI file to Imager->read. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts an SGI image containing a 16-bit RLE literal run whose pixel count falls between data_left/2 and data_left, then delivers it to a target that decodes images with Imager (for example, an avatar or document upload endpoint). When the application calls Imager->read on the file, the reader over-reads past the buffer and crashes the worker process before the malformed image is rejected. … |
| Remediation | Upgrade to Imager 1.032 or later, which contains the fix - Vendor-released patch: version 1.032, corresponding to upstream commit f28de02770dfc26ffbdc32048970ed84babbf730 (patch at https://github.com/tonycoz/imager/commit/f28de02770dfc26ffbdc32048970ed84babbf730.patch). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify and inventory all systems running Perl Imager module, documenting version numbers and deployment scope. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41872
GHSA-pmgh-mrwc-qw67