CVE-2026-40494

Source
https://cve.org/CVERecord?id=CVE-2026-40494
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40494.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-40494
Aliases
  • GHSA-cp2j-rwh4-r46f
Downstream
Published
2026-04-18T01:42:48.830Z
Modified
2026-07-08T08:12:34.695762168Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
SAIL has heap buffer overflow in TGA RLE decoder — raw packet path missing bounds check
Details

SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302, the TGA codec's RLE decoder in tga.c has an asymmetric bounds check vulnerability. The run-packet path (line 297) correctly clamps the repeat count to the remaining buffer space, but the raw-packet path (line 305-311) has no equivalent bounds check. This allows writing up to 496 bytes of attacker-controlled data past the end of a heap buffer. Commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302 patches the issue.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40494.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-787"
    ],
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "fixed": "45d48d1f2e8e0d73e80bc1fd5310cb57f4547302"
                }
            ]
        }
    ]
}
References

Affected packages

Git / github.com/happyseafox/sail

Affected ranges

Type
GIT
Repo
https://github.com/happyseafox/sail
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": "REFERENCES"
}

Affected versions

v0.*
v0.9.0
v0.9.0-pre1
v0.9.0-pre10
v0.9.0-pre11
v0.9.0-pre12
v0.9.0-pre13
v0.9.0-pre14
v0.9.0-pre15
v0.9.0-pre16
v0.9.0-pre17
v0.9.0-pre18
v0.9.0-pre19
v0.9.0-pre2
v0.9.0-pre20
v0.9.0-pre21
v0.9.0-pre22
v0.9.0-pre23
v0.9.0-pre3
v0.9.0-pre4
v0.9.0-pre5
v0.9.0-pre6
v0.9.0-pre7
v0.9.0-pre8
v0.9.0-pre9
v0.9.0-rc1
v0.9.0-rc2
v0.9.0-rc3
v0.9.1
v0.9.10
v0.9.2
v0.9.3
v0.9.4
v0.9.5
v0.9.6
v0.9.7
v0.9.8
v0.9.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40494.json"