Description
Imager::File::JPEG versions before 1.003 for Perl leak heap memory when reading a JPEG with repeated APP13 markers in i_readjpeg_wiol.

i_readjpeg_wiol walks the marker list libjpeg returns and, for each APP13 marker, allocates a new buffer with *iptc_itext = mymalloc(...) and overwrites the previous pointer without freeing it. Only the final payload is later turned into a Perl scalar and freed, so a JPEG with N such markers leaks the first N-1 payloads on every read.

In a long-lived process, such as an upload or thumbnailing service, repeated reads accumulate these leaks and exhaust available memory, a denial of service.

The same handler ships bundled in the Imager distribution, where versions before 1.032 are affected and the fix ships in 1.032.
Published: 2026-07-06
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A heap memory leak occurs when the Imager::File::JPEG module parses JPEG images that contain multiple APP13 markers. With each APP13 marker the code allocates a new buffer but never frees the previous one, so the first N-1 payloads remain in memory. Repeated processing of such crafted images in a long‑lived process gradually exhausts available memory, culminating in application crash or refusal to service requests. The underlying weakness is a classic memory leak (CWE‑401).

Affected Systems

The flaw affects Perl applications that use the TONYC Imager::File::JPEG module, specifically versions earlier than 1.003, and the bundled Imager distribution before 1.032. Any service that uploads, processes, or thumbnails JPEG images—such as web upload handlers, content management systems, or image‑processing microservices—is potentially impacted.

Risk and Exploitability

With a CVSS score of 7.5, the vulnerability is considered high severity. The EPSS score of < 1% indicates a very low exploitation probability, though not zero. The nature of the flaw still allows a remote attacker to trigger the memory leak by submitting JPEG files containing a large number of APP13 markers to a vulnerable service. The likely attack vector is remote file upload, and the prerequisite is that the service uses the affected module and does not filter input. The vulnerability is not listed in the CISA KEV catalog, but the ability to exhaust memory in continuously running processes makes it a significant risk.

Generated by OpenCVE AI on July 10, 2026 at 07:09 UTC.

Remediation

Vendor Solution

Upgrade to Imager::File::JPEG 1.003 or later, or to Imager 1.032 or later if the bundled copy is in use.


OpenCVE Recommended Actions

  • Upgrade the Imager::File::JPEG module to version 1.003 or later, or upgrade the bundled Imager package to version 1.032 or later.
  • Implement validation to reject or limit JPEG images that contain more than a safe threshold of APP13 markers, preventing the leak from being triggered.
  • Monitor the memory usage of image‑processing services and plan for graceful restarts or scaling when memory growth exceeds normal operating levels.

Generated by OpenCVE AI on July 10, 2026 at 07:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 06 Jul 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Tonyc
Tonyc imager::file::jpeg
Vendors & Products Tonyc
Tonyc imager::file::jpeg

Mon, 06 Jul 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 06 Jul 2026 13:15:00 +0000

Type Values Removed Values Added
Description Imager::File::JPEG versions before 1.003 for Perl leak heap memory when reading a JPEG with repeated APP13 markers in i_readjpeg_wiol. i_readjpeg_wiol walks the marker list libjpeg returns and, for each APP13 marker, allocates a new buffer with *iptc_itext = mymalloc(...) and overwrites the previous pointer without freeing it. Only the final payload is later turned into a Perl scalar and freed, so a JPEG with N such markers leaks the first N-1 payloads on every read. In a long-lived process, such as an upload or thumbnailing service, repeated reads accumulate these leaks and exhaust available memory, a denial of service. The same handler ships bundled in the Imager distribution, where versions before 1.032 are affected and the fix ships in 1.032.
Title Imager::File::JPEG versions before 1.003 for Perl leak heap memory when reading a JPEG with repeated APP13 markers in i_readjpeg_wiol
Weaknesses CWE-401
References

Subscriptions

Tonyc Imager::file::jpeg
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-07-06T18:53:51.698Z

Reserved: 2026-06-29T13:22:53.937Z

Link: CVE-2026-13708

cve-icon Vulnrichment

Updated: 2026-07-06T18:38:13.622Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-10T07:15:04Z

Weaknesses
  • CWE-401

    Missing Release of Memory after Effective Lifetime