{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35444", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-02T19:25:52.192Z", "datePublished": "2026-04-06T21:44:05.986Z", "dateUpdated": "2026-04-08T14:06:28.528Z"}, "containers": {"cna": {"title": "SDL_image has a heap buffer overflow READ via unchecked colormap index in XCF loader", "problemTypes": [{"descriptions": [{"cweId": "CWE-125", "lang": "en", "description": "CWE-125: Out-of-bounds Read", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/libsdl-org/SDL_image/security/advisories/GHSA-gq8w-x74c-h6p7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/libsdl-org/SDL_image/security/advisories/GHSA-gq8w-x74c-h6p7"}], "affected": [{"vendor": "libsdl-org", "product": "SDL_image", "versions": [{"version": "< 996bf12888925932daace576e09c3053410896f8", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T21:44:05.986Z"}, "descriptions": [{"lang": "en", "value": "SDL_image is a library to load images of various formats as SDL surfaces. In do_layer_surface() in src/IMG_xcf.c, pixel index values from decoded XCF tile data are used directly as colormap indices without validating them against the colormap size (cm_num). A crafted .xcf file with a small colormap and out-of-range pixel indices causes heap out-of-bounds reads of up to 762 bytes past the colormap allocation. Both IMAGE_INDEXED code paths are affected (bpp=1 and bpp=2). The leaked heap bytes are written into the output surface pixel data, making them potentially observable in the rendered image. This vulnerability is fixed with commit 996bf12888925932daace576e09c3053410896f8."}], "source": {"advisory": "GHSA-gq8w-x74c-h6p7", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T14:06:16.276801Z", "id": "CVE-2026-35444", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T14:06:28.528Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35444", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T14:06:16.276801Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T14:06:25.419Z"}}], "cna": {"title": "SDL_image has a heap buffer overflow READ via unchecked colormap index in XCF loader", "source": {"advisory": "GHSA-gq8w-x74c-h6p7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "libsdl-org", "product": "SDL_image", "versions": [{"status": "affected", "version": "< 996bf12888925932daace576e09c3053410896f8"}]}], "references": [{"url": "https://github.com/libsdl-org/SDL_image/security/advisories/GHSA-gq8w-x74c-h6p7", "name": "https://github.com/libsdl-org/SDL_image/security/advisories/GHSA-gq8w-x74c-h6p7", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "SDL_image is a library to load images of various formats as SDL surfaces. In do_layer_surface() in src/IMG_xcf.c, pixel index values from decoded XCF tile data are used directly as colormap indices without validating them against the colormap size (cm_num). A crafted .xcf file with a small colormap and out-of-range pixel indices causes heap out-of-bounds reads of up to 762 bytes past the colormap allocation. Both IMAGE_INDEXED code paths are affected (bpp=1 and bpp=2). The leaked heap bytes are written into the output surface pixel data, making them potentially observable in the rendered image. This vulnerability is fixed with commit 996bf12888925932daace576e09c3053410896f8."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "CWE-125: Out-of-bounds Read"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T21:44:05.986Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35444", "state": "PUBLISHED", "dateUpdated": "2026-04-08T14:06:28.528Z", "dateReserved": "2026-04-02T19:25:52.192Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-06T21:44:05.986Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:libsdl:sdl_image:*:*:*:*:*:*:*:*", "matchCriteriaId": "B972BD3B-ECC4-45A8-AA8C-04A8643CC6CD", "versionEndExcluding": "2026-04-02", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SDL_image is a library to load images of various formats as SDL surfaces. In do_layer_surface() in src/IMG_xcf.c, pixel index values from decoded XCF tile data are used directly as colormap indices without validating them against the colormap size (cm_num). A crafted .xcf file with a small colormap and out-of-range pixel indices causes heap out-of-bounds reads of up to 762 bytes past the colormap allocation. Both IMAGE_INDEXED code paths are affected (bpp=1 and bpp=2). The leaked heap bytes are written into the output surface pixel data, making them potentially observable in the rendered image. This vulnerability is fixed with commit 996bf12888925932daace576e09c3053410896f8."}], "id": "CVE-2026-35444", "lastModified": "2026-04-16T04:41:25.240", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 4.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-06T22:16:23.003", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory", "Patch"], "url": "https://github.com/libsdl-org/SDL_image/security/advisories/GHSA-gq8w-x74c-h6p7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[0,996bf12888925932daace576e09c3053410896f8)"}}], "enrichment": {"confidence": 89.0, "confidence_source": "matching", "scores": [{"score": 89.0, "source": "matching"}]}, "original": {"product": "SDL_image", "source": "cna", "vendor": "libsdl-org"}, "product": "sdl_image", "vendor": "libsdl"}], "analysis": {"en": {"generated_at": "2026-04-07T01:56:25.482883+00:00", "value": {"mitigation_remediation": ["Update SDL_image to commit 996bf12888925932daace576e09c3053410896f8 or a later release that includes the fix."], "summary": {"action": "Apply Patch", "impact": "Information Disclosure via a heap out\u2011of\u2011bounds read"}, "threat_synthesis": {"affected_systems": "The flaw exists in the SDL_image library distributed by libsdl-org. Any release that contains the buggy XCF loader and has not been updated to commit 996bf12888925932daace576e09c3053410896f8 is affected. Systems that use this library to load XCF images from untrusted sources are at risk.", "description_and_impact": "SDL_image\u2019s XCF loader uses pixel index values directly as colormap indices without checking them against the actual colormap size. A crafted .xcf file can contain pixel indices that exceed the colormap bounds, causing SDL_image to read up to 762 bytes beyond the allocated colormap area. The leaked bytes are copied into the output image\u2019s pixel data, making sensitive information potentially visible in the rendered image. This vulnerability is a classic unchecked read, classified as CWE\u2011125.", "risk_and_exploitability": "The CVSS score of 7.1 indicates a moderate to high impact severity. While no EPSS data is available and the vulnerability is not in CISA\u2019s KEV catalog, the exploit requires a malicious .xcf file to be processed by an application using SDL_image. Thus the attack vector is local with an untrusted file. A successful exploitation can leak memory contents to an attacker through the visible image, resulting in confidentiality compromise. The risk is significant enough to warrant an immediate patch."}}}}, "created": "2026-04-07T06:53:43.193691+00:00", "updated": "2026-04-07T09:36:41.098495+00:00", "vendors": ["libsdl", "libsdl$PRODUCT$sdl_image"]}