Description
SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit 36aa5c7ec8a2bb35f6fb867a1177a6f141156b02, the XWD codec resolves pixel format based on `pixmap_depth` but the byte-swap code uses `bits_per_pixel` independently. When `pixmap_depth=8` (BPP8_INDEXED, 1 byte/pixel buffer) but `bits_per_pixel=32`, the byte-swap loop accesses memory as `uint32_t*`, reading/writing 4x the allocated buffer size. This is a different vulnerability from the previously reported GHSA-3g38-x2pj-mv55 (CVE-2026-27168), which addressed `bytes_per_line` validation. Commit 36aa5c7ec8a2bb35f6fb867a1177a6f141156b02 contains a patch.
Published: 2026-04-18
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Heap Buffer Overflow (possible remote code execution)
Action: Immediate Patch
AI Analysis

Impact

A heap buffer overflow occurs in the SAIL XWD decoder when the library incorrectly uses the bits_per_pixel value to index a 32‑bit buffer while the pixmap_depth indicates an 8‑bit indexed format. The mismatch causes the byte‑swap loop to read and write four times beyond the allocated memory, corrupting adjacent heap objects. The CVSS score of 9.8 classifies this as a critical flaw that could allow arbitrary code execution or crash the host application.

Affected Systems

The vulnerability affects the HappySeaFox Sail image library in all releases before the commit identified by 36aa5c7ec8a2bb35f6fb867a1177a6f141156b02. No specific vendor version numbers are provided, but any build incorporating the XWD decoder without that commit is susceptible.

Risk and Exploitability

With an EPSS score not available and the issue not listed in CISA KEV, the probability of widespread exploitation is uncertain, yet the high severity and clear path to out‑of‑bounds writes imply that an attacker who can supply a crafted XWD file could potentially execute arbitrary code. The likely attack vector involves an application that loads XWD images from untrusted sources; the flaw is exploited when pixmap_depth is 8 but bits_per_pixel is 32, a combination the decoder does not validate.

Generated by OpenCVE AI on April 18, 2026 at 17:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch from commit 36aa5c7ec8a2bb35f6fb867a1177a6f141156b02 to the SAIL source or upgrade to a version that includes this fix.
  • If an immediate update is not possible, disable or remove the XWD decoder so that XWD images are no longer processed by the library.
  • Implement additional validation that the pixmap_depth value matches the bits_per_pixel before performing byte‑swap operations, ensuring the buffer size is correctly calculated.

Generated by OpenCVE AI on April 18, 2026 at 17:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 18 Apr 2026 03:45:00 +0000

Type Values Removed Values Added
First Time appeared Happyseafox
Happyseafox sail
Vendors & Products Happyseafox
Happyseafox sail

Sat, 18 Apr 2026 02:30:00 +0000

Type Values Removed Values Added
Description SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit 36aa5c7ec8a2bb35f6fb867a1177a6f141156b02, the XWD codec resolves pixel format based on `pixmap_depth` but the byte-swap code uses `bits_per_pixel` independently. When `pixmap_depth=8` (BPP8_INDEXED, 1 byte/pixel buffer) but `bits_per_pixel=32`, the byte-swap loop accesses memory as `uint32_t*`, reading/writing 4x the allocated buffer size. This is a different vulnerability from the previously reported GHSA-3g38-x2pj-mv55 (CVE-2026-27168), which addressed `bytes_per_line` validation. Commit 36aa5c7ec8a2bb35f6fb867a1177a6f141156b02 contains a patch.
Title SAIL has heap buffer overflow in XWD decoder — bits_per_pixel vs pixmap_depth type confusion in byte-swap
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Happyseafox Sail
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-20T15:24:42.029Z

Reserved: 2026-04-13T19:50:42.115Z

Link: CVE-2026-40492

cve-icon Vulnrichment

Updated: 2026-04-20T15:24:30.496Z

cve-icon NVD

Status : Deferred

Published: 2026-04-18T03:16:13.300

Modified: 2026-04-20T18:55:47.120

Link: CVE-2026-40492

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T17:15:05Z

Weaknesses