CVE-2026-14454
Received
Received - Intake
Memory Corruption in Perl Imager via Malformed EXIF Data
Vulnerability report for CVE-2026-14454, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-07-08
Last updated on: 2026-07-08
Assigner: CPANSec
Description
Description
Imager versions before 1.033 for Perl treat unsigned EXIF IFD entry counts as signed.
Imager mishandled large EXIF IFD entry count values, treating them as negative numbers. This could lead to an attempt to allocate a block nearly the size of the address space, which fails and kills the process.
An attacker could craft an image with EXIF data that terminates a worker process.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tonycoz | imager | to 1.033 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-789 | The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated. |
| CWE-196 | The product uses an unsigned primitive and performs a cast to a signed primitive, which can produce an unexpected value if the value of the unsigned primitive can not be represented using a signed primitive. |