{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40494", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-13T19:50:42.115Z", "datePublished": "2026-04-18T01:42:48.830Z", "dateUpdated": "2026-04-20T14:55:42.859Z"}, "containers": {"cna": {"title": "SAIL has heap buffer overflow in TGA RLE decoder \u2014 raw packet path missing bounds check", "problemTypes": [{"descriptions": [{"cweId": "CWE-787", "lang": "en", "description": "CWE-787: Out-of-bounds Write", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/HappySeaFox/sail/security/advisories/GHSA-cp2j-rwh4-r46f", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/HappySeaFox/sail/security/advisories/GHSA-cp2j-rwh4-r46f"}, {"name": "https://github.com/HappySeaFox/sail/commit/45d48d1f2e8e0d73e80bc1fd5310cb57f4547302", "tags": ["x_refsource_MISC"], "url": "https://github.com/HappySeaFox/sail/commit/45d48d1f2e8e0d73e80bc1fd5310cb57f4547302"}], "affected": [{"vendor": "HappySeaFox", "product": "sail", "versions": [{"version": "< 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-18T01:42:48.830Z"}, "descriptions": [{"lang": "en", "value": "SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302, the TGA codec's RLE decoder in `tga.c` has an asymmetric bounds check vulnerability. The run-packet path (line 297) correctly clamps the repeat count to the remaining buffer space, but the raw-packet path (line 305-311) has no equivalent bounds check. This allows writing up to 496 bytes of attacker-controlled data past the end of a heap buffer. Commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302 patches the issue."}], "source": {"advisory": "GHSA-cp2j-rwh4-r46f", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-20T14:47:38.934644Z", "id": "CVE-2026-40494", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T14:55:42.859Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40494", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-20T14:47:38.934644Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T14:47:40.310Z"}}], "cna": {"title": "SAIL has heap buffer overflow in TGA RLE decoder \u2014 raw packet path missing bounds check", "source": {"advisory": "GHSA-cp2j-rwh4-r46f", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "HappySeaFox", "product": "sail", "versions": [{"status": "affected", "version": "< 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302"}]}], "references": [{"url": "https://github.com/HappySeaFox/sail/security/advisories/GHSA-cp2j-rwh4-r46f", "name": "https://github.com/HappySeaFox/sail/security/advisories/GHSA-cp2j-rwh4-r46f", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/HappySeaFox/sail/commit/45d48d1f2e8e0d73e80bc1fd5310cb57f4547302", "name": "https://github.com/HappySeaFox/sail/commit/45d48d1f2e8e0d73e80bc1fd5310cb57f4547302", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302, the TGA codec's RLE decoder in `tga.c` has an asymmetric bounds check vulnerability. The run-packet path (line 297) correctly clamps the repeat count to the remaining buffer space, but the raw-packet path (line 305-311) has no equivalent bounds check. This allows writing up to 496 bytes of attacker-controlled data past the end of a heap buffer. Commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-787", "description": "CWE-787: Out-of-bounds Write"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-18T01:42:48.830Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40494", "state": "PUBLISHED", "dateUpdated": "2026-04-20T14:55:42.859Z", "dateReserved": "2026-04-13T19:50:42.115Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-18T01:42:48.830Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302, the TGA codec's RLE decoder in `tga.c` has an asymmetric bounds check vulnerability. The run-packet path (line 297) correctly clamps the repeat count to the remaining buffer space, but the raw-packet path (line 305-311) has no equivalent bounds check. This allows writing up to 496 bytes of attacker-controlled data past the end of a heap buffer. Commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302 patches the issue."}], "id": "CVE-2026-40494", "lastModified": "2026-04-20T18:55:47.120", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-18T03:16:13.590", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/HappySeaFox/sail/commit/45d48d1f2e8e0d73e80bc1fd5310cb57f4547302"}, {"source": "security-advisories@github.com", "url": "https://github.com/HappySeaFox/sail/security/advisories/GHSA-cp2j-rwh4-r46f"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[0,45d48d1f2e8e0d73e80bc1fd5310cb57f4547302)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "sail", "source": "cna", "vendor": "HappySeaFox"}, "product": "sail", "vendor": "happyseafox"}], "analysis": {"en": {"generated_at": "2026-04-18T08:39:47.814661+00:00", "value": {"mitigation_remediation": ["Upgrade the SAIL library to a build that includes commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302 or later.", "If upgrading the library is not immediately possible, replace the tga.c file with the patched version from the commit and rebuild the application.", "In the meantime, disable TGA image support or perform strict validation of all TGA files before passing them to SAIL to reduce the window of opportunity for an attacker."], "summary": {"action": "Immediate Patch", "impact": "Heap buffer overflow enabling arbitrary code execution"}, "threat_synthesis": {"affected_systems": "Any installation of the HappySeaFox SAIL library that has not incorporated commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302 or later. The issue exists across all platforms supported by SAIL because the vulnerable code resides in the core tga.c file. Applications that rely on the TGA format for loading images are affected if they use a pre\u2011patch version of the library.", "description_and_impact": "The SAIL image library contains a heap buffer overflow in its TGA RLE decoder. The raw\u2011packet path on lines 305\u2011311 lacks the bounds check that the run\u2011packet path includes, allowing up to 496 bytes of attacker\u2011controlled data to be written beyond the end of a heap buffer. This can overwrite neighboring memory and lead to arbitrary code execution or other memory corruption effects, classifying the flaw as a classic buffer overflow (CWE\u2011787).", "risk_and_exploitability": "The vulnerability carries a CVSS score of 9.8, placing it in the critical range, and its EPSS score is not available, leaving the exploitation probability uncertain. The flaw is not listed in CISA\u2019s KEV catalog. Attackers can exploit it by supplying a specially crafted TGA file to any process that loads images through SAIL; the uncontrolled write occurs on the stack or heap of the process, so local code execution or privilege escalation is possible if the application runs with elevated rights. Because the vulnerability is file\u2011based, the attack surface extends to any user or remote attacker who can influence image input. No public exploits are currently documented, but the high severity and absence of mitigations in many deployments warrant immediate remediation."}}}}, "created": "2026-04-18T03:30:25.706166+00:00", "updated": "2026-04-18T08:45:41.379382+00:00", "vendors": ["happyseafox", "happyseafox$PRODUCT$sail"]}