CVE-2026-8669

NameCVE-2026-8669
DescriptionImager versions through 1.030 for Perl allow a heap out of bounds (OOB) write on crafted multi-frame GIF files. Imager::File::GIF's i_readgif_multi_low allocates a single per-row buffer GifRow sized for the GIF's global screen width 'SWidth' and reuses it across every image in the file. The page-match branch validates Image.Width + Image.Left > SWidth before each DGifGetLine write, but the parallel skip-image branch at imgif.c:790-805 calls DGifGetLine(GifFile, GifRow, Width) with no such check.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libimager-perl (PTS)bullseye1.012+dfsg-1vulnerable
bookworm1.019+dfsg-1vulnerable
trixie1.027+dfsg-1vulnerable
forky, sid1.031+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libimager-perlsource(unstable)1.031+dfsg-1

Notes

[trixie] - libimager-perl <no-dsa> (Minor issue)
[bookworm] - libimager-perl <no-dsa> (Minor issue)
[bullseye] - libimager-perl <no-dsa> (Minor issue)
https://lists.security.metacpan.org/cve-announce/msg/40083214/
Imager embbeds the Imager::File::GIF code and syncs the fix:
Fixed by: https://github.com/tonycoz/imager/commit/782e9c06cc75a0f7eed383f39522f51f44598b04 (v1.031)
Search for package or bug name: Reporting problems