Skip to main content

Cgif CVE-2026-4985

| EUVDEUVD-2026-16894 MEDIUM
Integer Overflow or Wraparound (CWE-190)
2026-03-27 VulDB GHSA-j9q5-hw2p-xmcf
5.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

4
EUVD ID Assigned
Mar 27, 2026 - 22:00 euvd
EUVD-2026-16894
Analysis Generated
Mar 27, 2026 - 22:00 vuln.today
Patch released
Mar 27, 2026 - 22:00 nvd
Patch available
CVE Published
Mar 27, 2026 - 21:27 nvd
MEDIUM 5.3

DescriptionCVE.org

A vulnerability was identified in dloebl CGIF up to 0.5.2. This vulnerability affects the function cgif_addframe of the file src/cgif.c of the component GIF Image Handler. The manipulation of the argument width/height leads to integer overflow. The attack may be initiated remotely. The identifier of the patch is b0ba830093f4317a5d1f345715d2fa3cd2dab474. It is suggested to install a patch to address this issue. VulDB is the best source for vulnerability data and more expert information about this specific topic.

AnalysisAI

Integer overflow in dloebl CGIF up to version 0.5.2 allows remote attackers to trigger availability impact via manipulation of width/height arguments in the cgif_addframe function. The vulnerability requires user interaction (UI:P) but can be exploited over the network with no authentication. A patch is available via upstream commit b0ba830093f4317a5d1f345715d2fa3cd2dab474.

Technical ContextAI

The vulnerability exists in the GIF image handler component of CGIF, specifically in the cgif_addframe function within src/cgif.c. The root cause is CWE-190 (Integer Overflow or Wraparound), which occurs when width and height parameters are not properly validated before being used in arithmetic operations or memory allocation calculations. When untrusted integer values overflow, they can cause unexpected behavior such as buffer overflows, memory corruption, or denial of service. CGIF is a library for creating animated GIF files, and the affected function is responsible for adding frames to animated GIFs. The CPE cpe:2.3:a:dloebl:cgif:*:*:*:*:*:*:*:* indicates all versions up to 0.5.2 are vulnerable.

RemediationAI

Upgrade dloebl CGIF to a version newer than 0.5.2 that includes the fix from commit b0ba830093f4317a5d1f345715d2fa3cd2dab474. The upstream patch is available at https://github.com/dloebl/cgif/pull/112 and the commit hash b0ba830093f4317a5d1f345715d2fa3cd2dab474. For users unable to immediately upgrade, implement input validation to reject GIF files with excessively large or suspicious width/height values. Applications that process GIFs should be configured to run with minimal privileges to limit the impact of a potential denial-of-service condition. Refer to https://github.com/dloebl/cgif/issues/110 for discussion of the vulnerability.

Share

CVE-2026-4985 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy