CVE-2026-13708
Received Received - Intake

Heap Memory Leak in Imager::File::JPEG Perl Module

Vulnerability report for CVE-2026-13708, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: CPANSec

Description

Imager::File::JPEG versions before 1.003 for Perl leak heap memory when reading a JPEG with repeated APP13 markers in i_readjpeg_wiol. i_readjpeg_wiol walks the marker list libjpeg returns and, for each APP13 marker, allocates a new buffer with *iptc_itext = mymalloc(...) and overwrites the previous pointer without freeing it. Only the final payload is later turned into a Perl scalar and freed, so a JPEG with N such markers leaks the first N-1 payloads on every read. In a long-lived process, such as an upload or thumbnailing service, repeated reads accumulate these leaks and exhaust available memory, a denial of service. The same handler ships bundled in the Imager distribution, where versions before 1.032 are affected and the fix ships in 1.032.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-06
AI Q&A
2026-07-06
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
tonycoz imager to 1.003 (exc)
tonycoz imager to 1.032 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-401 The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-13708 is a memory leak vulnerability in the Imager::File::JPEG module for Perl, specifically in versions before 1.003. The issue occurs when reading JPEG files that contain multiple APP13 markers. For each APP13 marker, the code allocates new memory for IPTC data but fails to free the previously allocated memory, causing a leak.

This means that when a JPEG with multiple APP13 markers is processed, the memory used by all but the last marker's data is never released. Over time, especially in long-running processes like upload or thumbnailing services, these leaks accumulate and can exhaust available memory.

Impact Analysis

The primary impact of this vulnerability is a denial of service caused by memory exhaustion. In applications that process JPEG images repeatedly, such as image upload services or thumbnail generators, the memory leak can accumulate over time, eventually consuming all available memory and causing the application or system to crash or become unresponsive.

Detection Guidance

This vulnerability can be detected by testing the Imager library's JPEG processing with images containing multiple APP13 IPTC blocks, which cause heap memory leaks.

A test image named iptcdup.jpg, which contains duplicate IPTC blocks, is used to detect the memory leak.

To detect the issue, you can run the updated test suite included in the patch that checks for memory leaks when processing such images.

While no specific commands are provided, monitoring memory usage of long-lived processes using Imager when processing JPEGs with repeated APP13 markers can help identify leaks.

Mitigation Strategies

The immediate mitigation step is to update the Imager library to version 1.003 or later, where the memory leak issue has been fixed.

For the bundled Imager distribution, ensure you upgrade to version 1.032 or later.

The fix involves proper memory management by freeing previously allocated IPTC data before processing new APP13 markers.

Until the update is applied, avoid processing JPEG images with multiple APP13 IPTC blocks in long-lived processes to reduce the risk of memory exhaustion and denial of service.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13708. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart