Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Imager::File::GIF versions through 1.002 for Perl allow a heap out of bounds (OOB) write on crafted multi-frame GIF files.
Imager::File::GIF's i_readgif_multi_low allocates a single per-row buffer GifRow sized for the GIF's global screen width 'SWidth' and reuses it across every image in the file.
The page-match branch validates Image.Width + Image.Left > SWidth before each DGifGetLine write, but the parallel skip-image branch at imgif.c:790-805 calls DGifGetLine(GifFile, GifRow, Width) with no such check.
AnalysisAI
Heap buffer overflow in Imager::File::GIF (Perl image processing library) versions through 1.002 allows local attackers to corrupt memory via specially crafted multi-frame GIF files. The vulnerability stems from missing boundary validation in the skip-image code path, which writes image data beyond allocated buffer boundaries when processing malformed GIF frames. With EPSS score at 0.02% (5th percentile) and no evidence of active exploitation, this represents a low-probability supply chain risk for Perl applications processing untrusted GIF files. Patch released in version 1.003.
Technical ContextAI
Imager::File::GIF is a Perl module for reading and writing GIF images, part of the broader Imager image processing framework. The vulnerability affects the i_readgif_multi_low function in imgif.c, which processes multi-frame GIF files. The function allocates a single per-row buffer (GifRow) sized according to the GIF's global screen width (SWidth) and reuses it across all frames. While the primary image-processing branch validates that Image.Width + Image.Left does not exceed SWidth before writing via DGifGetLine, the parallel skip-image branch (lines 790-805 in the original code) omits this validation check. This CWE-787 (Out-of-bounds Write) allows attackers to craft GIF files where individual frames declare dimensions that exceed the global screen size, causing DGifGetLine to write past the allocated buffer boundary during the skip operation, resulting in heap corruption.
RemediationAI
Upgrade to Imager::File::GIF version 1.003 or later, which includes bounds validation checks moved earlier in the processing flow to cover both the page-match and skip-image code paths. The fix validates that Image.Left + Image.Width does not exceed SWidth and Image.Top + Image.Height does not exceed SHeight before any DGifGetLine operations. Update via CPAN with cpan Imager::File::GIF or manual installation from https://metacpan.org/release/TONYC/Imager-File-GIF-1.003. If immediate upgrade is not feasible, implement input validation to reject GIF files where individual frame dimensions exceed the declared global screen dimensions, though this requires custom parsing logic. For web applications, consider restricting GIF uploads or re-encoding uploaded GIFs through a sandboxed service using the patched library version. No workaround provides equivalent protection to the vendor patch.
Denial of service in the Imager image-processing module for Perl (all versions before 1.033) allows remote attackers to
The Imager package before 1.025 for Perl has a heap-based buffer overflow leading to denial of service, or possibly unsp
Heap buffer overflow in Imager for Perl versions through 1.030 allows remote attackers to corrupt memory and potentially
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30535
GHSA-8r2w-8p2v-h4g4