CVE-2026-14454
CVE-2026-14454 is a security vulnerability that is still awaiting full analysis and scoring. The underlying weakness is classified as CWE-196.
Key facts
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-196
- Published:
- Last modified:
Description
Imager versions before 1.033 for Perl treat unsigned EXIF IFD entry counts as signed. Imager mishandled large EXIF IFD entry count values, treating them as negative numbers. This could lead to an attempt to allocate a block nearly the size of the address space, which fails and kills the process. An attacker could craft an image with EXIF data that terminates a worker process.
Frequently asked questions
- What is CVE-2026-14454?
- Imager versions before 1.033 for Perl treat unsigned EXIF IFD entry counts as signed. Imager mishandled large EXIF IFD entry count values, treating them as negative numbers. This could lead to an attempt to allocate a block nearly the size of the address space, which fails and kills the process. An attacker could craft an image with EXIF data that terminates a worker process.
- Is CVE-2026-14454 being actively exploited?
- It is not currently listed in CISA's Known Exploited Vulnerabilities catalog, and no EPSS exploit-prediction score is available yet.
- How do I fix CVE-2026-14454?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2026-14454 published?
- CVE-2026-14454 was published on 2026-07-08.
References
- https://github.com/tonycoz/imager/commit/06f01a5d0fd591259aeba589370d6888384a6b6d.patch
- https://metacpan.org/release/TONYC/Imager-1.033/changes
- http://www.openwall.com/lists/oss-security/2026/07/08/6
Other CWE-196 vulnerabilities
- CVE-2026-34155 — Medium (CVSS 5.3): RAUC controls the update process on embedded Linux systems. Prior to version 1.15.2, RAUC bundles using the 'plain'…