CVE-2026-8814 documents a data amplification vulnerability in ExifReader, a JavaScript library for reading image metadata. Versions prior to 4.39.0 fail to enforce maximum decompressed output size limits when handling PNG zTXt (compressed text) metadata chunks. When asynchronous parsing is enabled, a crafted PNG file containing a highly compressed zTXt chunk can trigger disproportionate memory consumption [truncated]
A denial-of-service vulnerability exists in ExifReader versions prior to 4.39.0. The issue stems from improper handling of ICC mluc (multi-localized Unicode) tags in image metadata parsing. When a crafted image contains an mluc tag with an attacker-controlled record count paired with a zero record size, the parser enters a loop that repeatedly processes the same record and appends entries to an array with [truncated]