{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40492", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-13T19:50:42.115Z", "datePublished": "2026-04-18T01:39:48.056Z", "dateUpdated": "2026-04-20T15:24:42.029Z"}, "containers": {"cna": {"title": "SAIL has heap buffer overflow in XWD decoder \u2014 bits_per_pixel vs pixmap_depth type confusion in byte-swap", "problemTypes": [{"descriptions": [{"cweId": "CWE-787", "lang": "en", "description": "CWE-787: Out-of-bounds Write", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/HappySeaFox/sail/security/advisories/GHSA-526v-vm72-4v64", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/HappySeaFox/sail/security/advisories/GHSA-526v-vm72-4v64"}, {"name": "https://github.com/HappySeaFox/sail/commit/36aa5c7ec8a2bb35f6fb867a1177a6f141156b02", "tags": ["x_refsource_MISC"], "url": "https://github.com/HappySeaFox/sail/commit/36aa5c7ec8a2bb35f6fb867a1177a6f141156b02"}], "affected": [{"vendor": "HappySeaFox", "product": "sail", "versions": [{"version": "< 36aa5c7ec8a2bb35f6fb867a1177a6f141156b02", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-18T01:39:48.056Z"}, "descriptions": [{"lang": "en", "value": "SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit 36aa5c7ec8a2bb35f6fb867a1177a6f141156b02, the XWD codec resolves pixel format based on `pixmap_depth` but the byte-swap code uses `bits_per_pixel` independently. When `pixmap_depth=8` (BPP8_INDEXED, 1 byte/pixel buffer) but `bits_per_pixel=32`, the byte-swap loop accesses memory as `uint32_t*`, reading/writing 4x the allocated buffer size. This is a different vulnerability from the previously reported GHSA-3g38-x2pj-mv55 (CVE-2026-27168), which addressed `bytes_per_line` validation. Commit 36aa5c7ec8a2bb35f6fb867a1177a6f141156b02 contains a patch."}], "source": {"advisory": "GHSA-526v-vm72-4v64", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/HappySeaFox/sail/security/advisories/GHSA-526v-vm72-4v64", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-20T15:24:38.837811Z", "id": "CVE-2026-40492", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T15:24:42.029Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40492", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-20T15:24:38.837811Z"}}}], "references": [{"url": "https://github.com/HappySeaFox/sail/security/advisories/GHSA-526v-vm72-4v64", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T15:24:30.496Z"}}], "cna": {"title": "SAIL has heap buffer overflow in XWD decoder \u2014 bits_per_pixel vs pixmap_depth type confusion in byte-swap", "source": {"advisory": "GHSA-526v-vm72-4v64", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "HappySeaFox", "product": "sail", "versions": [{"status": "affected", "version": "< 36aa5c7ec8a2bb35f6fb867a1177a6f141156b02"}]}], "references": [{"url": "https://github.com/HappySeaFox/sail/security/advisories/GHSA-526v-vm72-4v64", "name": "https://github.com/HappySeaFox/sail/security/advisories/GHSA-526v-vm72-4v64", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/HappySeaFox/sail/commit/36aa5c7ec8a2bb35f6fb867a1177a6f141156b02", "name": "https://github.com/HappySeaFox/sail/commit/36aa5c7ec8a2bb35f6fb867a1177a6f141156b02", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit 36aa5c7ec8a2bb35f6fb867a1177a6f141156b02, the XWD codec resolves pixel format based on `pixmap_depth` but the byte-swap code uses `bits_per_pixel` independently. When `pixmap_depth=8` (BPP8_INDEXED, 1 byte/pixel buffer) but `bits_per_pixel=32`, the byte-swap loop accesses memory as `uint32_t*`, reading/writing 4x the allocated buffer size. This is a different vulnerability from the previously reported GHSA-3g38-x2pj-mv55 (CVE-2026-27168), which addressed `bytes_per_line` validation. Commit 36aa5c7ec8a2bb35f6fb867a1177a6f141156b02 contains a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-787", "description": "CWE-787: Out-of-bounds Write"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-18T01:39:48.056Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40492", "state": "PUBLISHED", "dateUpdated": "2026-04-20T15:24:42.029Z", "dateReserved": "2026-04-13T19:50:42.115Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-18T01:39:48.056Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit 36aa5c7ec8a2bb35f6fb867a1177a6f141156b02, the XWD codec resolves pixel format based on `pixmap_depth` but the byte-swap code uses `bits_per_pixel` independently. When `pixmap_depth=8` (BPP8_INDEXED, 1 byte/pixel buffer) but `bits_per_pixel=32`, the byte-swap loop accesses memory as `uint32_t*`, reading/writing 4x the allocated buffer size. This is a different vulnerability from the previously reported GHSA-3g38-x2pj-mv55 (CVE-2026-27168), which addressed `bytes_per_line` validation. Commit 36aa5c7ec8a2bb35f6fb867a1177a6f141156b02 contains a patch."}], "id": "CVE-2026-40492", "lastModified": "2026-04-20T18:55:47.120", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-18T03:16:13.300", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/HappySeaFox/sail/commit/36aa5c7ec8a2bb35f6fb867a1177a6f141156b02"}, {"source": "security-advisories@github.com", "url": "https://github.com/HappySeaFox/sail/security/advisories/GHSA-526v-vm72-4v64"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/HappySeaFox/sail/security/advisories/GHSA-526v-vm72-4v64"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[0,36aa5c7ec8a2bb35f6fb867a1177a6f141156b02)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "sail", "source": "cna", "vendor": "HappySeaFox"}, "product": "sail", "vendor": "happyseafox"}], "analysis": {"en": {"generated_at": "2026-04-18T17:02:14.441819+00:00", "value": {"mitigation_remediation": ["Apply the patch from commit 36aa5c7ec8a2bb35f6fb867a1177a6f141156b02 to the SAIL source or upgrade to a version that includes this fix.", "If an immediate update is not possible, disable or remove the XWD decoder so that XWD images are no longer processed by the library.", "Implement additional validation that the pixmap_depth value matches the bits_per_pixel before performing byte\u2011swap operations, ensuring the buffer size is correctly calculated."], "summary": {"action": "Immediate Patch", "impact": "Heap Buffer Overflow (possible remote code execution)"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the HappySeaFox Sail image library in all releases before the commit identified by 36aa5c7ec8a2bb35f6fb867a1177a6f141156b02. No specific vendor version numbers are provided, but any build incorporating the XWD decoder without that commit is susceptible.", "description_and_impact": "A heap buffer overflow occurs in the SAIL XWD decoder when the library incorrectly uses the bits_per_pixel value to index a 32\u2011bit buffer while the pixmap_depth indicates an 8\u2011bit indexed format. The mismatch causes the byte\u2011swap loop to read and write four times beyond the allocated memory, corrupting adjacent heap objects. The CVSS score of 9.8 classifies this as a critical flaw that could allow arbitrary code execution or crash the host application.", "risk_and_exploitability": "With an EPSS score not available and the issue not listed in CISA KEV, the probability of widespread exploitation is uncertain, yet the high severity and clear path to out\u2011of\u2011bounds writes imply that an attacker who can supply a crafted XWD file could potentially execute arbitrary code. The likely attack vector involves an application that loads XWD images from untrusted sources; the flaw is exploited when pixmap_depth is 8 but bits_per_pixel is 32, a combination the decoder does not validate."}}}}, "created": "2026-04-18T03:30:25.707079+00:00", "updated": "2026-04-18T17:15:05.772638+00:00", "vendors": ["happyseafox", "happyseafox$PRODUCT$sail"]}