CVE-2026-13708

EUVD-2026-41873
Imager::File::JPEG versions before 1.003 for Perl leak heap memory when reading a JPEG with repeated APP13 markers in i_readjpeg_wiol.

i_readjpeg_wiol walks the marker list libjpeg returns and, for each APP13 marker, allocates a new buffer with *iptc_itext = mymalloc(...) and overwrites the previous pointer without freeing it. Only the final payload is later turned into a Perl scalar and freed, so a JPEG with N such markers leaks the first N-1 payloads on every read.

In a long-lived process, such as an upload or thumbnailing service, repeated reads accumulate these leaks and exhaust available memory, a denial of service.

The same handler ships bundled in the Imager distribution, where versions before 1.032 are affected and the fix ships in 1.032.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Debian logo
Debian Releases
Debian Product
Codename
libimager-perl
bookworm
vulnerable
bullseye
vulnerable
forky
vulnerable
sid
vulnerable
trixie
vulnerable
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libimager-perl
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
noble
needs-triage
questing
needs-triage
resolute
needs-triage