Description
Imager versions through 1.030 for Perl allow a heap out of bounds (OOB) write on crafted multi-frame GIF files.

Imager::File::GIF's i_readgif_multi_low allocates a single per-row buffer GifRow sized for the GIF's global screen width 'SWidth' and reuses it across every image in the file.

The page-match branch validates Image.Width + Image.Left > SWidth before each DGifGetLine write, but the parallel skip-image branch at imgif.c:790-805 calls DGifGetLine(GifFile, GifRow, Width) with no such check.
Published: 2026-05-15
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Imager versions through 1.030 for Perl expose a heap out of bounds write when processing crafted multi‑frame GIF files due to a missing bounds check in the GIF reader component. The flaw occurs in the skip‑image branch that calls DGifGetLine without validating the destination buffer size, allowing an attacker to write beyond the allocated memory region. This memory corruption can lead to application crashes or, in more severe cases, arbitrary code execution because the compromised memory may control return addresses or data structures.

Affected Systems

The vulnerability affects products from TONYC, specifically the Imager library for Perl versions up to and including 1.030. Any Perl application that processes GIF images via Imager and is unable to restrict input size or validate frames is at risk. The vendor recommends upgrading to Imager 1.031 or later to obtain the patch that correctly bounds the buffer checks.

Risk and Exploitability

The exploit requires delivery of a specially crafted multi‑frame GIF file to a vulnerable application that uses Imager for image processing. The attack does not need network privilege unless the GIF is transmitted remotely; local users could also trigger the flaw by opening a malicious file. While there is no EPSS data and the vulnerability is not listed in KEV, the nature of a heap out‑of‑bounds write is considered a medium‑severity issue, as indicated by its CVSS score of 6.5, which can compromise confidentiality, integrity, or availability of the host. Immediate remediation is recommended to mitigate the potential for arbitrary code execution.

Generated by OpenCVE AI on May 15, 2026 at 17:35 UTC.

Remediation

Vendor Solution

Upgrade to Imager 1.031.

OpenCVE Recommended Actions

  • Upgrade the Imager library to version 1.031 or later, which includes proper bounds checking for multi‑frame GIF processing.
  • Implement strict validation of GIF file contents before passing them to Imager, such as verifying frame width and height against the global screen width and ensuring that all dimensions are within safe limits.
  • Consider disabling or sandboxing multi‑frame GIF support in applications that cannot immediately update, or replace Imager with a more secure image processing library that performs comprehensive bounds checks.

Generated by OpenCVE AI on May 15, 2026 at 17:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 22:30:00 +0000

Type Values Removed Values Added
References

Fri, 15 May 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 15 May 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Tonyc
Tonyc imager
Vendors & Products Tonyc
Tonyc imager

Fri, 15 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description Imager versions through 1.030 for Perl allow a heap out of bounds (OOB) write on crafted multi-frame GIF files. Imager::File::GIF's i_readgif_multi_low allocates a single per-row buffer GifRow sized for the GIF's global screen width 'SWidth' and reuses it across every image in the file. The page-match branch validates Image.Width + Image.Left > SWidth before each DGifGetLine write, but the parallel skip-image branch at imgif.c:790-805 calls DGifGetLine(GifFile, GifRow, Width) with no such check.
Title Imager versions through 1.030 for Perl allow a heap out of bounds (OOB) write on crafted multi-frame GIF files
Weaknesses CWE-787
References

Subscriptions

Tonyc Imager
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-05-15T21:23:31.133Z

Reserved: 2026-05-15T11:19:04.001Z

Link: CVE-2026-8669

cve-icon Vulnrichment

Updated: 2026-05-15T21:23:31.133Z

cve-icon NVD

Status : Received

Published: 2026-05-15T15:16:57.043

Modified: 2026-05-15T22:16:56.887

Link: CVE-2026-8669

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T17:45:04Z

Weaknesses