AnimatedGIF CVE-2026-30141
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
8DescriptionNVD
An issue was discovered in bitbank2 AnimatedGIF v2.2.0. A buffer overflow in the DecodeLZW function allows remote attackers to cause a denial of service (crash) or potentially execute arbitrary code via a crafted GIF file.
AnalysisAI
Remote code execution and denial-of-service in bitbank2 AnimatedGIF v2.2.0 arises from a buffer overflow in the DecodeLZW function when processing a crafted GIF file. SSVC data indicates a proof-of-concept exists and exploitation is automatable, though it is not listed in CISA KEV; with CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) the vulnerability is network-reachable wherever this library decodes attacker-supplied GIFs.
Technical ContextAI
AnimatedGIF is a lightweight C/C++ library by Larry Bank (bitbank2) widely embedded in microcontroller, embedded display, and Arduino/ESP32 projects for decoding animated GIF images. The DecodeLZW routine implements LZW decompression of the GIF image data stream; CWE-400 (Uncontrolled Resource Consumption) plus the 'buffer overflow' description in issue #115 suggests that malformed LZW code tables or run lengths cause writes beyond a fixed-size decode buffer, corrupting adjacent memory. The CPE is listed as 'n/a:n/a' in NVD, meaning the affected product is not yet formally enumerated in the CPE dictionary - defenders must identify exposure by source-level dependency, not CPE matching.
RemediationAI
No vendor-released patched version has been independently confirmed at the time of analysis; the only public reference is the upstream tracker https://github.com/bitbank2/AnimatedGIF/issues/115, so monitor that issue and the bitbank2/AnimatedGIF repository for a tagged release superseding 2.2.0 and rebuild dependent firmware/binaries once available. Until a fix is published, compensating controls should prevent attacker-controlled GIF bytes from reaching DecodeLZW: validate GIF headers and reject files exceeding expected logical-screen and frame dimensions before invoking the decoder (trade-off: may reject legitimate oversized GIFs), transcode incoming GIFs through a hardened server-side decoder (e.g., ImageMagick or libgd with policy limits) and re-emit a sanitized GIF before passing it downstream (trade-off: added latency and CPU), and on memory-constrained embedded targets disable any network-facing image-upload endpoint that feeds AnimatedGIF (trade-off: feature loss). Where possible, run the decoder in a process or task isolated from privileged code so that a crash or corruption does not pivot to wider compromise.
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today