CVE-2026-35444 - Vulnerability Details

- SDL_image has a heap buffer overflow READ via unchecked colormap index in XCF loader

Description

SDL_image is a library to load images of various formats as SDL surfaces. In do_layer_surface() in src/IMG_xcf.c, pixel index values from decoded XCF tile data are used directly as colormap indices without validating them against the colormap size (cm_num). A crafted .xcf file with a small colormap and out-of-range pixel indices causes heap out-of-bounds reads of up to 762 bytes past the colormap allocation. Both IMAGE_INDEXED code paths are affected (bpp=1 and bpp=2). The leaked heap bytes are written into the output surface pixel data, making them potentially observable in the rendered image. This vulnerability is fixed with commit 996bf12888925932daace576e09c3053410896f8.

Published: 2026-04-06

Score: 7.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

SDL_image’s XCF loader uses pixel index values directly as colormap indices without checking them against the actual colormap size. A crafted .xcf file can contain pixel indices that exceed the colormap bounds, causing SDL_image to read up to 762 bytes beyond the allocated colormap area. The leaked bytes are copied into the output image’s pixel data, making sensitive information potentially visible in the rendered image. This vulnerability is a classic unchecked read, classified as CWE‑125.

Affected Systems

The flaw exists in the SDL_image library distributed by libsdl-org. Any release that contains the buggy XCF loader and has not been updated to commit 996bf12888925932daace576e09c3053410896f8 is affected. Systems that use this library to load XCF images from untrusted sources are at risk.

Risk and Exploitability

The CVSS score of 7.1 indicates a moderate to high impact severity. While no EPSS data is available and the vulnerability is not in CISA’s KEV catalog, the exploit requires a malicious .xcf file to be processed by an application using SDL_image. Thus the attack vector is local with an untrusted file. A successful exploitation can leak memory contents to an attacker through the visible image, resulting in confidentiality compromise. The risk is significant enough to warrant an immediate patch.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

libsdl-org

SDL_image

affected

Version	Status	Constraints
`< 996bf12888925932daace576e09c3053410896f8`	affected	—

Configuration 1 [-]

cpe:2.3:a:libsdl:sdl_image:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Libsdl

Sdl Image

89%

Version	Status	Scheme	Platform
`[0,996bf12888925932daace576e09c3053410896f8)`	affected	code_commit	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update SDL_image to commit 996bf12888925932daace576e09c3053410896f8 or a later release that includes the fix.

Generated by OpenCVE AI on April 7, 2026 at 01:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00011.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/libsdl-org/SDL_image/security/advisories/GHSA-gq8w-x74c-h6p7

History

Thu, 16 Apr 2026 04:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:libsdl:sdl_image::::::::

Wed, 08 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 07 Apr 2026 09:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Libsdl Libsdl sdl Image
Vendors & Products		Libsdl Libsdl sdl Image

Tue, 07 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
Description		SDL_image is a library to load images of various formats as SDL surfaces. In do_layer_surface() in src/IMG_xcf.c, pixel index values from decoded XCF tile data are used directly as colormap indices without validating them against the colormap size (cm_num). A crafted .xcf file with a small colormap and out-of-range pixel indices causes heap out-of-bounds reads of up to 762 bytes past the colormap allocation. Both IMAGE_INDEXED code paths are affected (bpp=1 and bpp=2). The leaked heap bytes are written into the output surface pixel data, making them potentially observable in the rendered image. This vulnerability is fixed with commit 996bf12888925932daace576e09c3053410896f8.
Title		SDL_image has a heap buffer overflow READ via unchecked colormap index in XCF loader
Weaknesses		CWE-125
References		https://github.com/libsdl-org/SDL_image/security/advisories/GHSA-gq8w-x74c-h6p7
Metrics		cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L'}`

Subscriptions

Libsdl Sdl Image

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-06T21:44:05.986Z

Updated: 2026-04-08T14:06:28.528Z

Reserved: 2026-04-02T19:25:52.192Z

Link: CVE-2026-35444

Vulnrichment

Updated: 2026-04-08T14:06:25.419Z

NVD

Status : Analyzed

Published: 2026-04-06T22:16:23.003

Modified: 2026-04-16T04:41:25.240

Link: CVE-2026-35444

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-07T09:36:41Z

Weaknesses

CWE-125

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact Low

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object