CVE-2026-8813
Memory Exhaustion in ExifReader via Malicious ICC Profile
Publication date: 2026-05-19
Last updated on: 2026-05-19
Assigner: Snyk
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mattiasw | exifreader | to 4.39.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1284 | The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects versions of the exifreader package before 4.39.0. It occurs when a crafted image contains an ICC mluc tag that sets an attacker-controlled record count along with a zero record size. During parsing, ExifReader repeatedly processes the same record and appends entries to an array without proper bounds validation, which causes excessive memory growth.
This improper validation of the specified quantity in the input leads to a situation where memory usage can grow uncontrollably.
How can this vulnerability impact me? :
In applications that parse attacker-supplied images using the vulnerable exifreader versions, this vulnerability can lead to denial of service (DoS) through memory exhaustion.
An attacker can exploit this by providing a specially crafted image that triggers excessive memory allocation, potentially causing the application to crash or become unresponsive.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects versions of the exifreader package before 4.39.0. Detection involves identifying if your applications use a vulnerable version of exifreader that parses attacker-supplied images containing a crafted ICC mluc tag.
While no specific commands are provided in the available resources, a practical approach would be to scan your project dependencies for the exifreader package version. For example, in a Node.js environment, you can run commands like:
- npm list exifreader
- yarn list exifreader
Additionally, monitoring network traffic for suspicious image files containing malformed ICC mluc tags would require custom parsing or IDS/IPS signatures, which are not detailed in the provided resources.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the exifreader package to version 4.39.0 or later, where bounds checks have been added to ICC mluc tag parsing to prevent this vulnerability.
If upgrading immediately is not possible, consider validating or sanitizing image inputs before parsing them with exifreader to avoid processing crafted images that exploit this issue.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability in exifreader allows an attacker to cause a denial of service through memory exhaustion by exploiting improper validation of input data. While the CVE description and resources detail the technical impact, there is no explicit information provided about how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.