CVE-2026-14454

Source
https://cve.org/CVERecord?id=CVE-2026-14454
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-14454.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-14454
Downstream
Published
2026-07-08T12:30:20.230Z
Modified
2026-07-16T03:48:27.371506763Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Imager versions before 1.033 for Perl treat unsigned EXIF IFD entry counts as signed
Details

Imager versions before 1.033 for Perl treat unsigned EXIF IFD entry counts as signed.

Imager mishandled large EXIF IFD entry count values, treating them as negative numbers. This could lead to an attempt to allocate a block nearly the size of the address space, which fails and kills the process.

An attacker could craft an image with EXIF data that terminates a worker process.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/14xxx/CVE-2026-14454.json",
    "cwe_ids": [
        "CWE-196",
        "CWE-789"
    ],
    "cna_assigner": "CPANSec"
}
References

Affected packages

Git / github.com/tonycoz/imager

Affected ranges

Type
GIT
Repo
https://github.com/tonycoz/imager
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.033"
        }
    ],
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "cpe": "cpe:2.3:a:tonycoz:imager:*:*:*:*:*:perl:*:*"
}

Affected versions

Imager-0.*
Imager-0.49
Imager-0.51_01
Imager-0.51_02
Imager-0.52
Imager-0.53
Imager-0.55
Imager-0.58
Imager-0.59
Imager-0.60
Imager-0.61
Imager-0.63
Imager-0.65
Imager-0.71
Imager-0.72
Imager-0.75
Imager-0.76
Imager-0.77
Imager-0.78
Imager-0.79
Imager-0.80
Imager-0.81
Imager-0.82
Other
Imager-0_38
Imager-0_38pre9
v0.*
v0.82_01
v0.83
v0.84
v0.84_01
v0.84_02
v0.85
v0.85_01
v0.85_02
v0.86
v0.87
v0.88
v0.89
v0.90
v0.91
v0.92
v0.93
v0.94
v0.94_01
v0.94_02
v0.95
v0.96
v0.96_01
v0.96_02
v0.97
v0.98
v0.99
v0.99_01
v0.99_02
v1.*
v1.000
v1.001
v1.002
v1.003
v1.004
v1.004_001
v1.004_002
v1.004_003
v1.004_004
v1.005
v1.006
v1.007
v1.008
v1.009
v1.010
v1.011
v1.012
v1.013
v1.014
v1.015
v1.016
v1.017
v1.018
v1.019
v1.020
v1.021
v1.022
v1.023
v1.024
v1.025
v1.026
v1.027
v1.028
v1.029
v1.030
v1.031
v1.032

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-14454.json"