CVE-2026-8813

Vulnerability

The vulnerability exists in the exifreader package before version 4.39.0 in the parsing of ICC profile mluc (multiLocalizedUnicode) tags. When a crafted image provides an attacker-controlled record count together with a zero record size, the parser repeatedly processes the same record without advancing the read offset, causing unbounded memory allocation. Affected versions are all releases prior to 4.39.0 [1][2].

Exploitation

An attacker can exploit this vulnerability by supplying a specially crafted image (e.g., a JPEG file with an embedded ICC profile) to an application that uses exifreader to parse image metadata. The attacker sets numRecords to a very large value (e.g., 0x7fffffff) and recordSize to zero in the mluc tag. When ExifReader.load() is called on the crafted image, the parser loops over the claimed records without consuming any new data, leading to rapid memory consumption. No authentication or special network access is required beyond the ability to provide the malicious image to the target application [2].

Impact

Successful exploitation results in denial of service through memory exhaustion. The attacker can cause the host application to run out of memory and crash, disrupting service. There is no indication of data leakage or code execution; the impact is limited to availability [1][2].

Mitigation

The vulnerability is fixed in ExifReader version 4.39.0. Users should upgrade to this version or later [1]. The fix adds bounds checks to the ICC mluc tag parsing to ensure the declared record size actually advances the read offset before iterating [1]. No workarounds are documented; upgrading is the recommended action.