VYPR
Critical severity9.8NVD Advisory· Published Apr 18, 2026· Updated Apr 20, 2026

CVE-2026-40492

CVE-2026-40492

Description

SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit 36aa5c7ec8a2bb35f6fb867a1177a6f141156b02, the XWD codec resolves pixel format based on pixmap_depth but the byte-swap code uses bits_per_pixel independently. When pixmap_depth=8 (BPP8_INDEXED, 1 byte/pixel buffer) but bits_per_pixel=32, the byte-swap loop accesses memory as uint32_t*, reading/writing 4x the allocated buffer size. This is a different vulnerability from the previously reported GHSA-3g38-x2pj-mv55 (CVE-2026-27168), which addressed bytes_per_line validation. Commit 36aa5c7ec8a2bb35f6fb867a1177a6f141156b02 contains a patch.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • HappySeaFox/Sailreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: prior to commit 36aa5c7ec8a2bb35f6fb867a1177a6f141156b02

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.