CVE-2026-26740
Buffer Overflow in giflib 5.2.2 Causes Remote Denial of Service
Publication date: 2026-03-18
Last updated on: 2026-03-21
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| giflib_project | giflib | 5.2.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-26740 is a buffer overflow vulnerability in giflib version 5.2.2, specifically in the functions EGifGCBToExtension and EGifGCBToSavedExtension. It occurs when handling a crafted GIF file containing a Graphics Control Extension (GCE) block with a truncated extension byte count (for example, length set to 1 instead of the expected 4).
The vulnerability arises because the code writes 4 bytes into a buffer allocated based on the original byte count without validating if the buffer is large enough. If the GCE block is truncated, the buffer is smaller than 4 bytes, causing a heap-based buffer overflow when the code overwrites the existing GCE block.
This issue can be triggered when using the giftool utility to modify the delay time of a GIF file with such a malformed GCE block, leading to memory corruption.
How can this vulnerability impact me? :
The primary impact of this vulnerability is a denial of service caused by application crashes due to heap buffer overflow.
Additionally, the heap out-of-bounds write could lead to memory corruption, which might be exploitable depending on the memory allocator and layout, although no exploit has been demonstrated.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by analyzing GIF files for malformed Graphics Control Extension (GCE) blocks with truncated extension byte counts (less than 4 bytes). Specifically, running the giftool utility with AddressSanitizer (ASan) enabled on crafted GIF files that contain such truncated GCE blocks can trigger a heap-buffer-overflow error, indicating the presence of the vulnerability.
A practical detection method is to use the provided proof-of-concept (PoC) Python script to generate a crafted GIF file and then run giftool with the delay time modification option (-d) on this file under ASan to observe if a heap buffer overflow occurs.
Suggested commands include:
- Use the PoC script to generate a test GIF file: python3 gen_poc_giftool_gce_len1.py > test.gif
- Run giftool with ASan enabled to check for heap buffer overflow: ASAN_OPTIONS=detect_heap_buffer_overflow=1 ./giftool -d 10 test.gif
- Monitor ASan logs for heap-buffer-overflow errors indicating the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding the use of vulnerable giflib version 5.2.2 or any software that uses the vulnerable functions EGifGCBToExtension and EGifGCBToSavedExtension without proper validation.
Specifically:
- Do not process or modify GIF files with giftool or other giflib-based tools on untrusted or suspicious GIF files that may contain malformed GCE blocks.
- Apply patches or updates that validate the byte count of the existing GCE extension block before overwriting or reallocate buffers to safely accommodate 4 bytes.
- If a patch is not available, consider disabling or restricting the use of the delay time modification feature (-d option) in giftool or similar utilities.
- Monitor for updates from giflib maintainers addressing this vulnerability and apply them promptly.