CVE-2026-14454

TONYC · Imager

Imager for Perl mishandles large EXIF IFD entry counts, leading to excessive memory allocation attempts and process termination.

Executive summary

An improper integer handling flaw in the Imager Perl library can be triggered by malicious images, leading to a denial-of-service condition.

Vulnerability

The library incorrectly treats unsigned EXIF IFD entry counts as signed integers. This logic error causes the software to attempt an excessively large memory allocation when processing a specially crafted image, which fails and results in the termination of the host process.

Business impact

The CVSS score of 9.8 (Critical) highlights the severe potential for Denial of Service (DoS) in applications relying on the Imager library. If an application processes user-supplied images, an attacker can reliably crash the service, leading to significant system downtime and potential disruption of critical business operations.

Remediation

Immediate Action: Update the TONYC Imager library to version 1.033 or later immediately.

Proactive Monitoring: Monitor application logs for frequent process crashes or "out of memory" errors specifically occurring during image processing tasks.

Compensating Controls: Implement strict input validation or file size limits on image uploads as a temporary measure to reduce the likelihood of triggering the flawed memory allocation logic.

Exploitation status

Public Exploit Available: No (No confirmed public exploit available).

Analyst recommendation

Given the critical CVSS severity score, this vulnerability should be addressed with high urgency. Organizations using the Perl Imager library must update to version 1.033 to eliminate the risk of service disruption caused by malicious input.