Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Imager versions through 1.030 for Perl allow a heap out of bounds (OOB) write on crafted multi-frame GIF files.
Imager::File::GIF's i_readgif_multi_low allocates a single per-row buffer GifRow sized for the GIF's global screen width 'SWidth' and reuses it across every image in the file.
The page-match branch validates Image.Width + Image.Left > SWidth before each DGifGetLine write, but the parallel skip-image branch at imgif.c:790-805 calls DGifGetLine(GifFile, GifRow, Width) with no such check.
AnalysisAI
Heap buffer overflow in Imager for Perl versions through 1.030 allows remote attackers to corrupt memory and potentially read limited data via specially crafted multi-frame GIF files. The vulnerability stems from missing bounds validation in the skip-image code path of i_readgif_multi_low(), which reuses a fixed-size buffer allocated for the GIF's global screen width without checking if subsequent image frames exceed these dimensions. Vendor-released patch available in version 1.031. CVSS 6.5 indicates network-accessible exploitation requiring no authentication or user interaction, though the impact is limited to low confidentiality/integrity with no availability disruption. No public exploit identified at time of analysis.
Technical ContextAI
Imager is a widely used Perl image processing library (cpe:2.3:a:tonyc:imager). The vulnerability (CWE-787: Out-of-bounds Write) resides in the GIF decoder module's multi-frame handling logic. When parsing multi-frame GIF files, the i_readgif_multi_low() function allocates a single row buffer (GifRow) sized for the GIF's global screen width (SWidth) and reuses it across all frames. The main image-processing branch at imgif.c includes bounds validation (Image.Left + Image.Width > SWidth) before calling DGifGetLine(), but a parallel skip-image code path at lines 790-805 omits this check. An attacker can craft a GIF with a small global screen width followed by frames with larger dimensions, causing DGifGetLine() to write beyond the allocated buffer. The patch (commit 782e9c06) moves the bounds check earlier in the processing flow to cover both code paths, validating that Image.Left + Image.Width <= SWidth and Image.Top + Image.Height <= SHeight before any frame processing occurs.
RemediationAI
Upgrade to Imager version 1.031 or later, which includes the bounds-checking fix from commit 782e9c06cc75a0f7eed383f39522f51f44598b04. The patch is available at https://github.com/tonycoz/imager/commit/782e9c06cc75a0f7eed383f39522f51f44598b04.patch for manual application if immediate upgrade is not feasible. Release notes are documented at https://metacpan.org/release/TONYC/Imager-1.031/source/Changes. If patching is delayed, implement compensating controls: (1) Restrict GIF file uploads to trusted sources only-this eliminates the remote attack vector but may impact legitimate functionality for user-facing applications; (2) Deploy file format validation that rejects multi-frame GIFs with per-frame dimensions exceeding global screen size-this requires custom preprocessing logic and may break legitimate animated GIFs with non-standard dimension declarations; (3) Run Imager processing in sandboxed environments (containers with limited memory access, seccomp filters) to contain heap corruption-this adds operational complexity and may degrade performance by 10-20%. Note: The commit references CVE-2026-8454 rather than CVE-2026-8669; verify CVE ID with CPANSec before applying remediation.
Denial of service in the Imager image-processing module for Perl (all versions before 1.033) allows remote attackers to
The Imager package before 1.025 for Perl has a heap-based buffer overflow leading to denial of service, or possibly unsp
Heap buffer overflow in Imager::File::GIF (Perl image processing library) versions through 1.002 allows local attackers
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30541
GHSA-6275-mpwc-pq3g