CVE-2026-8814

Vulnerability

ExifReader versions before 4.39.0 are vulnerable to Improper Handling of Highly Compressed Data (Data Amplification) due to decompressing PNG zTXt metadata without enforcing a built-in maximum decompressed output size [1][2]. When asynchronous parsing is enabled, a crafted PNG file containing a highly compressed zTXt chunk can cause ExifReader to materialize a disproportionately large Comment value in memory [2].

Exploitation

An attacker needs to provide a crafted PNG file to an application that uses ExifReader with asynchronous parsing enabled. The attacker can create a PNG with a small compressed zTXt chunk that decompresses to a very large size (e.g., 128 MiB or more). The proof-of-concept in [2] demonstrates this by deflating a buffer of 128 MiB of 'A' characters into a small compressed payload. When ExifReader processes the PNG asynchronously, it decompresses the chunk without size limit, materializing the large string in memory.

Impact

Successful exploitation leads to memory exhaustion (denial of service) as the library allocates a large string. The impact is primarily on availability; the attacker can cause the application to run out of memory or crash. No code execution or data disclosure is indicated in the available references.

Mitigation

Upgrade to exifreader version 4.39.0 or higher, which introduces a default maximum decompressed size of 128 MiB via the maxDecompressedSize option [1]. The fix caps decompressed metadata blocks. No workaround is mentioned; the only mitigation is to update the package. The vulnerability is not listed in KEV as of the publication date.