CVE-2026-40492

Source
https://cve.org/CVERecord?id=CVE-2026-40492
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40492.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-40492
Aliases
  • GHSA-526v-vm72-4v64
Downstream
Published
2026-04-18T01:39:48.056Z
Modified
2026-07-08T08:13:12.859781907Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
SAIL has heap buffer overflow in XWD decoder — bits_per_pixel vs pixmap_depth type confusion in byte-swap
Details

SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit 36aa5c7ec8a2bb35f6fb867a1177a6f141156b02, the XWD codec resolves pixel format based on pixmap_depth but the byte-swap code uses bits_per_pixel independently. When pixmap_depth=8 (BPP8_INDEXED, 1 byte/pixel buffer) but bits_per_pixel=32, the byte-swap loop accesses memory as uint32_t*, reading/writing 4x the allocated buffer size. This is a different vulnerability from the previously reported GHSA-3g38-x2pj-mv55 (CVE-2026-27168), which addressed bytes_per_line validation. Commit 36aa5c7ec8a2bb35f6fb867a1177a6f141156b02 contains a patch.

Database specific
{
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "fixed": "36aa5c7ec8a2bb35f6fb867a1177a6f141156b02"
                }
            ]
        }
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40492.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-787"
    ]
}
References

Affected packages

Git / github.com/happyseafox/sail

Affected ranges

Type
GIT
Repo
https://github.com/happyseafox/sail
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": "REFERENCES"
}

Affected versions

v0.*
v0.9.0
v0.9.0-pre1
v0.9.0-pre10
v0.9.0-pre11
v0.9.0-pre12
v0.9.0-pre13
v0.9.0-pre14
v0.9.0-pre15
v0.9.0-pre16
v0.9.0-pre17
v0.9.0-pre18
v0.9.0-pre19
v0.9.0-pre2
v0.9.0-pre20
v0.9.0-pre21
v0.9.0-pre22
v0.9.0-pre23
v0.9.0-pre3
v0.9.0-pre4
v0.9.0-pre5
v0.9.0-pre6
v0.9.0-pre7
v0.9.0-pre8
v0.9.0-pre9
v0.9.0-rc1
v0.9.0-rc2
v0.9.0-rc3
v0.9.1
v0.9.10
v0.9.2
v0.9.3
v0.9.4
v0.9.5
v0.9.6
v0.9.7
v0.9.8
v0.9.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40492.json"