CVE-2026-8813
Deferred Deferred - Pending Action
Memory Exhaustion in ExifReader via Malicious ICC Profile

Publication date: 2026-05-19

Last updated on: 2026-05-19

Assigner: Snyk

Description
This affects versions of the package exifreader before 4.39.0. A crafted image containing an ICC mluc tag can set an attacker-controlled record count together with a zero record size. During parsing, ExifReader repeatedly processes the same record and appends entries to an array without sufficient bounds validation, causing excessive memory growth. In applications that parse attacker-supplied images, this may lead to denial of service through memory exhaustion.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-19
Last Modified
2026-05-19
Generated
2026-06-10
AI Q&A
2026-05-19
EPSS Evaluated
2026-06-08
NVD
CVE-2026-8813
EUVD
EUVD-2026-30838
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mattiasw exifreader to 4.39.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1284 The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects versions of the exifreader package before 4.39.0. It occurs when a crafted image contains an ICC mluc tag that sets an attacker-controlled record count along with a zero record size. During parsing, ExifReader repeatedly processes the same record and appends entries to an array without proper bounds validation, which causes excessive memory growth.

This improper validation of the specified quantity in the input leads to a situation where memory usage can grow uncontrollably.

Impact Analysis

In applications that parse attacker-supplied images using the vulnerable exifreader versions, this vulnerability can lead to denial of service (DoS) through memory exhaustion.

An attacker can exploit this by providing a specially crafted image that triggers excessive memory allocation, potentially causing the application to crash or become unresponsive.

Detection Guidance

This vulnerability affects versions of the exifreader package before 4.39.0. Detection involves identifying if your applications use a vulnerable version of exifreader that parses attacker-supplied images containing a crafted ICC mluc tag.

While no specific commands are provided in the available resources, a practical approach would be to scan your project dependencies for the exifreader package version. For example, in a Node.js environment, you can run commands like:

  • npm list exifreader
  • yarn list exifreader

Additionally, monitoring network traffic for suspicious image files containing malformed ICC mluc tags would require custom parsing or IDS/IPS signatures, which are not detailed in the provided resources.

Mitigation Strategies

The primary mitigation step is to upgrade the exifreader package to version 4.39.0 or later, where bounds checks have been added to ICC mluc tag parsing to prevent this vulnerability.

If upgrading immediately is not possible, consider validating or sanitizing image inputs before parsing them with exifreader to avoid processing crafted images that exploit this issue.

Compliance Impact

This vulnerability in exifreader allows an attacker to cause a denial of service through memory exhaustion by exploiting improper validation of input data. While the CVE description and resources detail the technical impact, there is no explicit information provided about how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8813. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart