Skip to main content

Imager for Perl CVE-2026-8669

| EUVDEUVD-2026-30541 MEDIUM
Out-of-bounds Write (CWE-787)
2026-05-15 CPANSec GHSA-6275-mpwc-pq3g
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Source Code Evidence Fetched
May 15, 2026 - 17:00 vuln.today
Analysis Generated
May 15, 2026 - 17:00 vuln.today
CVSS changed
May 15, 2026 - 16:22 NVD
6.5 (MEDIUM)
CVE Published
May 15, 2026 - 13:31 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Imager versions through 1.030 for Perl allow a heap out of bounds (OOB) write on crafted multi-frame GIF files.

Imager::File::GIF's i_readgif_multi_low allocates a single per-row buffer GifRow sized for the GIF's global screen width 'SWidth' and reuses it across every image in the file.

The page-match branch validates Image.Width + Image.Left > SWidth before each DGifGetLine write, but the parallel skip-image branch at imgif.c:790-805 calls DGifGetLine(GifFile, GifRow, Width) with no such check.

AnalysisAI

Heap buffer overflow in Imager for Perl versions through 1.030 allows remote attackers to corrupt memory and potentially read limited data via specially crafted multi-frame GIF files. The vulnerability stems from missing bounds validation in the skip-image code path of i_readgif_multi_low(), which reuses a fixed-size buffer allocated for the GIF's global screen width without checking if subsequent image frames exceed these dimensions. Vendor-released patch available in version 1.031. CVSS 6.5 indicates network-accessible exploitation requiring no authentication or user interaction, though the impact is limited to low confidentiality/integrity with no availability disruption. No public exploit identified at time of analysis.

Technical ContextAI

Imager is a widely used Perl image processing library (cpe:2.3:a:tonyc:imager). The vulnerability (CWE-787: Out-of-bounds Write) resides in the GIF decoder module's multi-frame handling logic. When parsing multi-frame GIF files, the i_readgif_multi_low() function allocates a single row buffer (GifRow) sized for the GIF's global screen width (SWidth) and reuses it across all frames. The main image-processing branch at imgif.c includes bounds validation (Image.Left + Image.Width > SWidth) before calling DGifGetLine(), but a parallel skip-image code path at lines 790-805 omits this check. An attacker can craft a GIF with a small global screen width followed by frames with larger dimensions, causing DGifGetLine() to write beyond the allocated buffer. The patch (commit 782e9c06) moves the bounds check earlier in the processing flow to cover both code paths, validating that Image.Left + Image.Width <= SWidth and Image.Top + Image.Height <= SHeight before any frame processing occurs.

RemediationAI

Upgrade to Imager version 1.031 or later, which includes the bounds-checking fix from commit 782e9c06cc75a0f7eed383f39522f51f44598b04. The patch is available at https://github.com/tonycoz/imager/commit/782e9c06cc75a0f7eed383f39522f51f44598b04.patch for manual application if immediate upgrade is not feasible. Release notes are documented at https://metacpan.org/release/TONYC/Imager-1.031/source/Changes. If patching is delayed, implement compensating controls: (1) Restrict GIF file uploads to trusted sources only-this eliminates the remote attack vector but may impact legitimate functionality for user-facing applications; (2) Deploy file format validation that rejects multi-frame GIFs with per-frame dimensions exceeding global screen size-this requires custom preprocessing logic and may break legitimate animated GIFs with non-standard dimension declarations; (3) Run Imager processing in sandboxed environments (containers with limited memory access, seccomp filters) to contain heap corruption-this adds operational complexity and may degrade performance by 10-20%. Note: The commit references CVE-2026-8454 rather than CVE-2026-8669; verify CVE ID with CPANSec before applying remediation.

Share

CVE-2026-8669 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy