{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40493", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-13T19:50:42.115Z", "datePublished": "2026-04-18T01:41:14.664Z", "dateUpdated": "2026-04-20T16:15:22.120Z"}, "containers": {"cna": {"title": "SAIL has heap buffer overflow in PSD decoder \u2014 bpp mismatch in LAB 16-bit mode", "problemTypes": [{"descriptions": [{"cweId": "CWE-787", "lang": "en", "description": "CWE-787: Out-of-bounds Write", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/HappySeaFox/sail/security/advisories/GHSA-rcqx-gc76-r9mv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/HappySeaFox/sail/security/advisories/GHSA-rcqx-gc76-r9mv"}, {"name": "https://github.com/HappySeaFox/sail/commit/c930284445ea3ff94451ccd7a57c999eca3bc979", "tags": ["x_refsource_MISC"], "url": "https://github.com/HappySeaFox/sail/commit/c930284445ea3ff94451ccd7a57c999eca3bc979"}], "affected": [{"vendor": "HappySeaFox", "product": "sail", "versions": [{"version": "< c930284445ea3ff94451ccd7a57c999eca3bc979", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-18T01:41:14.664Z"}, "descriptions": [{"lang": "en", "value": "SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit c930284445ea3ff94451ccd7a57c999eca3bc979, the PSD codec computes bytes-per-pixel (`bpp`) from raw header fields `channels * depth`, but the pixel buffer is allocated based on the resolved pixel format. For LAB mode with `channels=3, depth=16`, `bpp = (3*16+7)/8 = 6`, but the format `BPP40_CIE_LAB` allocates only 5 bytes per pixel. Every pixel write overshoots, causing a deterministic heap buffer overflow on every row. Commit c930284445ea3ff94451ccd7a57c999eca3bc979 contains a patch."}], "source": {"advisory": "GHSA-rcqx-gc76-r9mv", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-20T16:11:59.642196Z", "id": "CVE-2026-40493", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T16:15:22.120Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40493", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-20T16:11:59.642196Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T16:12:09.099Z"}}], "cna": {"title": "SAIL has heap buffer overflow in PSD decoder \u2014 bpp mismatch in LAB 16-bit mode", "source": {"advisory": "GHSA-rcqx-gc76-r9mv", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "HappySeaFox", "product": "sail", "versions": [{"status": "affected", "version": "< c930284445ea3ff94451ccd7a57c999eca3bc979"}]}], "references": [{"url": "https://github.com/HappySeaFox/sail/security/advisories/GHSA-rcqx-gc76-r9mv", "name": "https://github.com/HappySeaFox/sail/security/advisories/GHSA-rcqx-gc76-r9mv", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/HappySeaFox/sail/commit/c930284445ea3ff94451ccd7a57c999eca3bc979", "name": "https://github.com/HappySeaFox/sail/commit/c930284445ea3ff94451ccd7a57c999eca3bc979", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit c930284445ea3ff94451ccd7a57c999eca3bc979, the PSD codec computes bytes-per-pixel (`bpp`) from raw header fields `channels * depth`, but the pixel buffer is allocated based on the resolved pixel format. For LAB mode with `channels=3, depth=16`, `bpp = (3*16+7)/8 = 6`, but the format `BPP40_CIE_LAB` allocates only 5 bytes per pixel. Every pixel write overshoots, causing a deterministic heap buffer overflow on every row. Commit c930284445ea3ff94451ccd7a57c999eca3bc979 contains a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-787", "description": "CWE-787: Out-of-bounds Write"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-18T01:41:14.664Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40493", "state": "PUBLISHED", "dateUpdated": "2026-04-20T16:15:22.120Z", "dateReserved": "2026-04-13T19:50:42.115Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-18T01:41:14.664Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit c930284445ea3ff94451ccd7a57c999eca3bc979, the PSD codec computes bytes-per-pixel (`bpp`) from raw header fields `channels * depth`, but the pixel buffer is allocated based on the resolved pixel format. For LAB mode with `channels=3, depth=16`, `bpp = (3*16+7)/8 = 6`, but the format `BPP40_CIE_LAB` allocates only 5 bytes per pixel. Every pixel write overshoots, causing a deterministic heap buffer overflow on every row. Commit c930284445ea3ff94451ccd7a57c999eca3bc979 contains a patch."}], "id": "CVE-2026-40493", "lastModified": "2026-04-20T18:55:47.120", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-18T03:16:13.440", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/HappySeaFox/sail/commit/c930284445ea3ff94451ccd7a57c999eca3bc979"}, {"source": "security-advisories@github.com", "url": "https://github.com/HappySeaFox/sail/security/advisories/GHSA-rcqx-gc76-r9mv"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[0,c930284445ea3ff94451ccd7a57c999eca3bc979)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "sail", "source": "cna", "vendor": "HappySeaFox"}, "product": "sail", "vendor": "happyseafox"}], "analysis": {"en": {"generated_at": "2026-04-18T17:02:01.655715+00:00", "value": {"mitigation_remediation": ["Upgrade the Sail library to a version that incorporates commit c930284445ea3ff94451ccd7a57c999eca3bc979 or later.", "Ensure that all applications and services that depend on Sail are rebuilt and redeployed with the patched library.", "Restrict the acceptance of PSD files to trusted sources or process them in a sandboxed environment to contain any potential exploitation."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in the HappySeaFox:sail image processing library, which is used across multiple platforms for loading and saving images, supporting animation, metadata, and ICC profiles. All versions of sail released prior to commit c930284445ea3ff94451ccd7a57c999eca3bc979 are susceptible; later versions contain the fix.", "description_and_impact": "A deterministic heap buffer overflow is triggered when the SAIL library decodes PSD images in LAB 16\u2011bit mode. The library calculates bytes\u2011per\u2011pixel from the header fields channels\u00a0\u00d7\u00a0depth, but allocates the pixel buffer according to the resolved pixel format. For LAB mode with three channels at 16 bits per channel, the calculated bpp is six, while the format reserves only five bytes per pixel. Each pixel write overruns the buffer, creating a reliable overflow that can be leveraged to overwrite adjacent heap memory and potentially execute arbitrary code within the process that loads the image.", "risk_and_exploitability": "The CVSS score of 9.8 indicates critical severity, and the absence of an available EPSS score does not diminish the risk, especially when untrusted image files can be supplied to any application that uses sail. Because the overflow occurs deterministically on every row of a malformed PSD, exploitation requires only a crafted PSD document. As the library is widely used in image\u2011handling components, the attack vector is likely remote via malicious image delivery, and the vulnerability has not yet been listed in CISA\u2019s Known Exploited Vulnerabilities catalog, but its high severity warrants proactive remediation."}}}}, "created": "2026-04-18T03:30:25.706772+00:00", "updated": "2026-04-18T17:15:05.772116+00:00", "vendors": ["happyseafox", "happyseafox$PRODUCT$sail"]}