Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-8813

Summary
Assigner-snyk
Assigner Org ID-bae035ff-b466-4ff4-94d0-fc9efd9e1730
Published At-19 May, 2026 | 05:00
Updated At-19 May, 2026 | 05:00
Rejected At-
Credits

This affects versions of the package exifreader before 4.39.0. A crafted image containing an ICC mluc tag can set an attacker-controlled record count together with a zero record size. During parsing, ExifReader repeatedly processes the same record and appends entries to an array without sufficient bounds validation, causing excessive memory growth. In applications that parse attacker-supplied images, this may lead to denial of service through memory exhaustion.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:snyk
Assigner Org ID:bae035ff-b466-4ff4-94d0-fc9efd9e1730
Published At:19 May, 2026 | 05:00
Updated At:19 May, 2026 | 05:00
Rejected At:
â–¼CVE Numbering Authority (CNA)

This affects versions of the package exifreader before 4.39.0. A crafted image containing an ICC mluc tag can set an attacker-controlled record count together with a zero record size. During parsing, ExifReader repeatedly processes the same record and appends entries to an array without sufficient bounds validation, causing excessive memory growth. In applications that parse attacker-supplied images, this may lead to denial of service through memory exhaustion.

Affected Products
Vendor
n/a
Product
exifreader
Versions
Affected
  • From 0 before 4.39.0 (semver)
Problem Types
TypeCWE IDDescription
N/AN/AImproper Validation of Specified Quantity in Input
Type: N/A
CWE ID: N/A
Description: Improper Validation of Specified Quantity in Input
Metrics
VersionBase scoreBase severityVector
3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P
4.08.7HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P
Version: 4.0
Base score: 8.7
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Yuki Matsuhashi
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://security.snyk.io/vuln/SNYK-JS-EXIFREADER-16689335
N/A
https://gist.github.com/yuki-matsuhashi/3243ea38e5fbf8cfe19b624f04c9f4b4
N/A
https://github.com/mattiasw/ExifReader/commit/c9d88b67e127b2dcc7b46e328df468257fb2dc30
N/A
Hyperlink: https://security.snyk.io/vuln/SNYK-JS-EXIFREADER-16689335
Resource: N/A
Hyperlink: https://gist.github.com/yuki-matsuhashi/3243ea38e5fbf8cfe19b624f04c9f4b4
Resource: N/A
Hyperlink: https://github.com/mattiasw/ExifReader/commit/c9d88b67e127b2dcc7b46e328df468257fb2dc30
Resource: N/A
Information is not available yet
â–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:report@snyk.io
Published At:19 May, 2026 | 07:16
Updated At:19 May, 2026 | 07:16

This affects versions of the package exifreader before 4.39.0. A crafted image containing an ICC mluc tag can set an attacker-controlled record count together with a zero record size. During parsing, ExifReader repeatedly processes the same record and appends entries to an array without sufficient bounds validation, causing excessive memory growth. In applications that parse attacker-supplied images, this may lead to denial of service through memory exhaustion.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.07.7HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Secondary3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Type: Secondary
Version: 4.0
Base score: 7.7
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Secondary
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-1284Secondaryreport@snyk.io
CWE ID: CWE-1284
Type: Secondary
Source: report@snyk.io
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://gist.github.com/yuki-matsuhashi/3243ea38e5fbf8cfe19b624f04c9f4b4report@snyk.io
N/A
https://github.com/mattiasw/ExifReader/commit/c9d88b67e127b2dcc7b46e328df468257fb2dc30report@snyk.io
N/A
https://security.snyk.io/vuln/SNYK-JS-EXIFREADER-16689335report@snyk.io
N/A
Hyperlink: https://gist.github.com/yuki-matsuhashi/3243ea38e5fbf8cfe19b624f04c9f4b4
Source: report@snyk.io
Resource: N/A
Hyperlink: https://github.com/mattiasw/ExifReader/commit/c9d88b67e127b2dcc7b46e328df468257fb2dc30
Source: report@snyk.io
Resource: N/A
Hyperlink: https://security.snyk.io/vuln/SNYK-JS-EXIFREADER-16689335
Source: report@snyk.io
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

55Records found
CVE-2022-40761
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.82% / 74.61%
||
7 Day CHG~0.00%
Published-16 Sep, 2022 | 21:35
Updated-03 Aug, 2024 | 12:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The function tee_obj_free in Samsung mTower through 0.3.0 allows a trusted application to trigger a Denial of Service (DoS) by invoking the function TEE_AllocateOperation with a disturbed heap layout, related to utee_cryp_obj_alloc.

Action-Not Available
Vendor-n/aSamsung
Product-mtowern/a
CWE ID-CWE-1284
Improper Validation of Specified Quantity in Input
CVE-2022-39313
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.33% / 56.35%
||
7 Day CHG~0.00%
Published-24 Oct, 2022 | 00:00
Updated-23 Apr, 2025 | 16:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Parse Server crashes when receiving file download request with invalid byte range

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 4.10.17, and prior to 5.2.8 on the 5.x branch, crash when a file download request is received with an invalid byte range, resulting in a Denial of Service. This issue has been patched in versions 4.10.17, and 5.2.8. There are no known workarounds.

Action-Not Available
Vendor-parseplatformparse-community
Product-parse-serverparse-server
CWE ID-CWE-1284
Improper Validation of Specified Quantity in Input
CVE-2022-36620
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-3.83% / 88.28%
||
7 Day CHG~0.00%
Published-31 Aug, 2022 | 00:00
Updated-03 Aug, 2024 | 10:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

D-link DIR-816 A2_v1.10CNB04, DIR-878 DIR_878_FW1.30B08.img is vulnerable to Buffer Overflow via /goform/addRouting.

Action-Not Available
Vendor-n/aD-Link Corporation
Product-dir-816_firmwaredir-816n/a
CWE ID-CWE-1284
Improper Validation of Specified Quantity in Input
CVE-2025-3511
Matching Score-4
Assigner-Mitsubishi Electric Corporation
ShareView Details
Matching Score-4
Assigner-Mitsubishi Electric Corporation
CVSS Score-7.5||HIGH
EPSS-0.10% / 27.79%
||
7 Day CHG~0.00%
Published-25 Apr, 2025 | 05:14
Updated-24 Apr, 2026 | 07:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper Validation of Specified Quantity in Input vulnerability in Mitsubishi Electric Corporation CC-Link IE TSN Remote I/O module, CC-Link IE TSN Analog-Digital Converter module, CC-Link IE TSN Digital-Analog Converter module, CC-Link IE TSN FPGA module, CC-Link IE TSN Remote Station Communication LSI CP620 with GbE-PHY, MELSEC iQ-R Series CC-Link IE TSN Master/Local Module, MELSEC iQ-R Series Ethernet Interface Module, CC-Link IE TSN Master/Local Station Communication LSI CP610, MELSEC iQ-F Series FX5 CC-Link IE TSN Master/Local Module, MELSEC iQ-F Series FX5 Ethernet Module, and MELSEC iQ-F Series FX5-ENET/IP Ethernet Module allows a remote unauthenticated attacker to cause a Denial of Service condition in the products by sending specially crafted UDP packets.

Action-Not Available
Vendor-Mitsubishi Electric Corporation
Product-CC-Link IE TSN Remote I/O module NZ2GN2B1-32DCC-Link IE TSN Remote Station Communication LSI CP620 with GbE-PHY NZ2GACP620-300MELSEC iQ-F Series FX5-ENET/IP Ethernet Module FX5-ENET/IPCC-Link IE TSN Remote Station Communication LSI CP620 with GbE-PHY NZ2GACP620-60CC-Link IE TSN Remote I/O module NZ2GN2S1-32DTMELSEC iQ-R Series CC-Link IE TSN Master/Local Module RJ71GN11-SXCC-Link IE TSN Remote I/O module NZ2GNCE3-32DCC-Link IE TSN Remote I/O module NZ2GN2B1-32TECC-Link IE TSN Analog-Digital Converter module NZ2GN2B-60AD4CC-Link IE TSN Digital-Analog Converter module NZ2GN2S-60DA4CC-Link IE TSN Remote I/O module NZ2GN2B1-32DTMELSEC iQ-R Series Ethernet Interface Module RJ71EN71CC-Link IE TSN Remote I/O module NZ2GN2B1-16TECC-Link IE TSN Remote I/O module NZ2GNCF1-32DCC-Link IE TSN Remote I/O module NZ2GN12A2-16TECC-Link IE TSN Remote I/O module NZ2GN2S1-16TECC-Link IE TSN FPGA module NZ2GN2S-D41PD02CC-Link IE TSN Remote I/O module NZ2GN2B1-32DTECC-Link IE TSN Remote I/O module NZ2GNCF1-32TCC-Link IE TSN Remote I/O module NZ2GN2S1-32TCC-Link IE TSN Remote I/O module NZ2GN2S1-32DCC-Link IE TSN Remote I/O module NZ2GN2B1-32TCC-Link IE TSN Remote I/O module NZ2GN2S1-16DMELSEC iQ-F Series FX5 CC-Link IE TSN Master/Local Module FX5-CCLGN-MSCC-Link IE TSN Analog-Digital Converter module NZ2GN2S-60AD4MELSEC iQ-F Series FX5 Ethernet Module FX5-ENETCC-Link IE TSN Remote I/O module NZ2GN2S1-32DTEMELSEC iQ-R Series CC-Link IE TSN Master/Local Module RJ71GN11-EIPCC-Link IE TSN Remote I/O module NZ2GN12A4-16DECC-Link IE TSN Remote I/O module NZ2GN2S1-32TECC-Link IE TSN Remote I/O module NZ2GN2B1-16TCC-Link IE TSN FPGA module NZ2GN2S-D41D01CC-Link IE TSN Remote I/O module NZ2GN2S1-16TCC-Link IE TSN Remote I/O module NZ2GN12A42-16DTECC-Link IE TSN Remote I/O module NZ2GN12A42-16DTCC-Link IE TSN FPGA module NZ2GN2S-D41P01MELSEC iQ-R Series CC-Link IE TSN Master/Local Module RJ71GN11-T2CC-Link IE TSN Remote I/O module NZ2GN2B1-16DCC-Link IE TSN Master/Local Station Communication LSI CP610 NZ2GACP610-60CC-Link IE TSN Remote I/O module NZ2GN12A2-16TCC-Link IE TSN Remote I/O module NZ2GN12A4-16DCC-Link IE TSN Digital-Analog Converter module NZ2GN2B-60DA4CC-Link IE TSN Master/Local Station Communication LSI CP610 NZ2KT-NPETNG51CC-Link IE TSN Remote I/O module NZ2GNCE3-32DT
CWE ID-CWE-1284
Improper Validation of Specified Quantity in Input
CVE-2025-14511
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-7.5||HIGH
EPSS-0.05% / 15.31%
||
7 Day CHG~0.00%
Published-25 Feb, 2026 | 20:05
Updated-28 Feb, 2026 | 00:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Validation of Specified Quantity in Input in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have allowed an unauthenticated user to cause denial of service by sending specially crafted files to the container registry event endpoint under certain conditions.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-1284
Improper Validation of Specified Quantity in Input
  • Previous
  • 1
  • 2
  • Next
Details not found