CVE-2026-8669

Vulnerability

Overview

CVE-2026-8669 is a heap out-of-bounds (OOB) write vulnerability in the Imager Perl module (versions through 1.030) when parsing specially crafted multi-frame GIF files. The root cause lies in the i_readgif_multi_low function within GIF/imgif.c. The code allocates a single per-row buffer (GifRow) sized to the GIF's global screen width (SWidth) and reuses it across all frames. While the "page-match" branch correctly validates that Image.Width + Image.Left does not exceed SWidth before calling DGifGetLine, the "skip-image" branch (around line 790-805) calls DGifGetLine(GifFile, GifRow, Width) without any bounds check, allowing a write beyond the allocated buffer [1][2].

Exploitation

An attacker can exploit this by providing a multi-frame GIF where one or more frames have dimensions that, when combined with their left offset, exceed the global screen width. The vulnerable skip-image path will then write pixel data into the undersized GifRow buffer, causing a heap OOB write. No authentication is required; the attack is triggered simply by loading the malicious GIF file via Imager's GIF reading functionality [2][3].

Impact

Successful exploitation can lead to heap memory corruption, potentially resulting in application crashes or arbitrary code execution in the context of the Perl interpreter. The vulnerability is rated Medium (CVSS 6.5) due to the need for a crafted file and the potential for denial of service or code execution [2].

Mitigation

The vulnerability is fixed in Imager version 1.031, released on 15 May 2026. The patch adds a validation check for all frames (both page-match and skip-image paths) to ensure image dimensions are confined to the screen dimensions before any DGifGetLine call [1][3]. Users should upgrade to Imager 1.031 or later. No workaround is available; the fix must be applied to the module.