CVE-2026-13705

Source
https://cve.org/CVERecord?id=CVE-2026-13705
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-13705.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-13705
Downstream
Published
2026-07-06T12:03:38.513Z
Modified
2026-07-08T08:12:22.449623497Z
Severity
  • 7.1 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H CVSS Calculator
Summary
Imager versions before 1.032 for Perl have a heap out-of-bounds read in the bundled Imager::File::SGI reader via a 16-bit RLE literal run in read_rgb_16_rle
Details

Imager versions before 1.032 for Perl have a heap out-of-bounds read in the bundled Imager::File::SGI reader via a 16-bit RLE literal run in readrgb16_rle.

readrgb16rle guards each literal run with if (count > dataleft), but count is a pixel count while every 16-bit sample consumes two bytes. The copy loop reads inp[0] * 256 + inp[1] and advances two bytes per pixel, so a run with dataleft / 2 < count <= dataleft passes the guard yet consumes 2 * count bytes and reads past the end of the buffer. The 8-bit path is unaffected because there one pixel is one byte.

Reading a crafted SGI image through Imager->read triggers the over-read before the parser rejects the malformed image, which can crash the process.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/13xxx/CVE-2026-13705.json",
    "cna_assigner": "CPANSec",
    "cwe_ids": [
        "CWE-125"
    ]
}
References

Affected packages

Git / github.com/tonycoz/imager

Affected ranges

Type
GIT
Repo
https://github.com/tonycoz/imager
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.032"
        }
    ],
    "source": [
        "DESCRIPTION",
        "REFERENCES"
    ]
}

Affected versions

Imager-0.*
Imager-0.49
Imager-0.51_01
Imager-0.51_02
Imager-0.52
Imager-0.53
Imager-0.55
Imager-0.58
Imager-0.59
Imager-0.60
Imager-0.61
Imager-0.63
Imager-0.65
Imager-0.71
Imager-0.72
Imager-0.75
Imager-0.76
Imager-0.77
Imager-0.78
Imager-0.79
Imager-0.80
Imager-0.81
Imager-0.82
Other
Imager-0_38
Imager-0_38pre9
v0.*
v0.82_01
v0.83
v0.84
v0.84_01
v0.84_02
v0.85
v0.85_01
v0.85_02
v0.86
v0.87
v0.88
v0.89
v0.90
v0.91
v0.92
v0.93
v0.94
v0.94_01
v0.94_02
v0.95
v0.96
v0.96_01
v0.96_02
v0.97
v0.98
v0.99
v0.99_01
v0.99_02
v1.*
v1.000
v1.001
v1.002
v1.003
v1.004
v1.004_001
v1.004_002
v1.004_003
v1.004_004
v1.005
v1.006
v1.007
v1.008
v1.009
v1.010
v1.011
v1.012
v1.013
v1.014
v1.015
v1.016
v1.017
v1.018
v1.019
v1.020
v1.021
v1.022
v1.023
v1.024
v1.025
v1.026
v1.027
v1.028
v1.029
v1.030
v1.031

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-13705.json"