Description
Imager versions before 1.032 for Perl have a heap out-of-bounds read in the bundled Imager::File::SGI reader via a 16-bit RLE literal run in read_rgb_16_rle.

read_rgb_16_rle guards each literal run with if (count > data_left), but count is a pixel count while every 16-bit sample consumes two bytes. The copy loop reads inp[0] * 256 + inp[1] and advances two bytes per pixel, so a run with data_left / 2 < count <= data_left passes the guard yet consumes 2 * count bytes and reads past the end of the buffer. The 8-bit path is unaffected because there one pixel is one byte.

Reading a crafted SGI image through Imager->read triggers the over-read before the parser rejects the malformed image, which can crash the process.
Published: 2026-07-06
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A heap out‑of‑bounds read occurs in the Imager::File::SGI reader when it processes a 16‑bit RLE literal run. The guard checks only the pixel count, but the copy loop consumes two bytes per pixel, so a run that uses more bytes than the remaining data length will read past the buffer. The over‑read happens before the parser rejects the malformed image, causing the running interpreter to crash. No evidence indicates that the flaw can be leveraged for arbitrary code execution or disclosure of sensitive data; it results in a denial‑of‑service condition because the process terminates.

Affected Systems

The vulnerability affects the TONYC Imager Perl module for versions earlier than 1.032. Any Perl application that imports Imager and processes SGI image files—such as web front‑ends, image conversion utilities, or automated pipelines—can be compromised if it accepts user‑provided SGI files. The flaw is triggered only when the SGI image contains a malformed 16‑bit RLE literal run, so applications that validate or sanitize input images might avoid exploitation.

Risk and Exploitability

The CVSS score of 7.1 indicates a moderate‑to‑high severity. The EPSS score of < 1% reflects a very low probability of exploitation. The flaw is not listed in the CISA KEV catalog. The attack vector is likely limited to environments where a crafted SGI image can be supplied such as file uploads or network transport. Because the flaw only causes a crash without enabling code execution, the risk is confined to service disruption rather than privilege escalation or data theft.

Generated by OpenCVE AI on July 10, 2026 at 07:10 UTC.

Remediation

Vendor Solution

Upgrade to Imager 1.032 or later.


OpenCVE Recommended Actions

  • Upgrade Imager to version 1.032 or later to apply the patch RLE reading logic.
  • Perform strict validation of SGI images before invoking Imager->read to avoid buffer over‑reads (CWE‑125) – reject images where the declared data length does not match the actual byte count.
  • Run image‑processing code in an isolated or sandboxed process so that a crash does not compromise the overall application or server environment.

Generated by OpenCVE AI on July 10, 2026 at 07:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 06 Jul 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 06 Jul 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Tonyc
Tonyc imager
Vendors & Products Tonyc
Tonyc imager

Mon, 06 Jul 2026 13:15:00 +0000

Type Values Removed Values Added
Description Imager versions before 1.032 for Perl have a heap out-of-bounds read in the bundled Imager::File::SGI reader via a 16-bit RLE literal run in read_rgb_16_rle. read_rgb_16_rle guards each literal run with if (count > data_left), but count is a pixel count while every 16-bit sample consumes two bytes. The copy loop reads inp[0] * 256 + inp[1] and advances two bytes per pixel, so a run with data_left / 2 < count <= data_left passes the guard yet consumes 2 * count bytes and reads past the end of the buffer. The 8-bit path is unaffected because there one pixel is one byte. Reading a crafted SGI image through Imager->read triggers the over-read before the parser rejects the malformed image, which can crash the process.
Title Imager versions before 1.032 for Perl have a heap out-of-bounds read in the bundled Imager::File::SGI reader via a 16-bit RLE literal run in read_rgb_16_rle
Weaknesses CWE-125
References

cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-07-06T19:24:38.327Z

Reserved: 2026-06-29T13:21:04.275Z

Link: CVE-2026-13705

cve-icon Vulnrichment

Updated: 2026-07-06T18:38:12.676Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-10T07:15:04Z

Weaknesses