Double Vision: The Heap Overflow in gif2apng

Alon Barad

Software Engineer

Jan 7, 2026·6 min read·3 visits

PoC Available

Executive Summary (TL;DR)

The gif2apng tool uses a two-pass strategy to convert GIFs: count frames, allocate memory, then read data. CVE-2021-45911 exploits a mismatch where the second pass writes more data than the first pass allocated, leading to a heap buffer overflow. Fixing it requires a simple bounds check.

A classic heap-based buffer overflow in gif2apng version 1.9 allows attackers to cause a denial of service or potentially execute arbitrary code via a crafted GIF file. The vulnerability stems from a disconnect between the frame counting logic and the frame processing logic.

Attack Flow Diagram

Official Patches

DebianDebian Bug Report and Patch Track

UbuntuUbuntu Security Notice USN-5969-1

Technical Appendix

CVSS Score

7.8/ 10

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Probability

0.16%

Top 62% most exploited

Affected Systems

gif2apng 1.9Debian 11 (Bullseye) (pre-patch)Ubuntu 20.04 LTS (pre-patch)

Affected Versions Detail

Product	Affected Versions	Fixed Version
gif2apng gif2apng Project	<= 1.9	1.9+srconly-3+deb11u1

Attribute	Detail
CWE ID	CWE-122 (Heap-based Buffer Overflow)
CVSS v3.1	7.8 (High)
Vector	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector	Local (User Interaction Required)
EPSS Score	0.16%
Exploit Status	PoC Available

MITRE ATT&CK Mapping

T1203Exploitation for Client Execution

Execution

T1059Command and Scripting Interpreter

Execution

CWE-122

Heap-based Buffer Overflow

A heap-based buffer overflow occurs when a program writes to a memory address on the heap that is outside the bounds of the allocated buffer.

Vulnerability Timeline

Vulnerabilities discovered

2021-12-01

CVE-2021-45911 Published

2021-12-28

Debian LTS Advisory Released

2022-03-07

Ubuntu Security Notice Released

2023-03-23