CVE-2026-40492: SAIL XWD Codec Heap Buffer Overflow (CVSS 9.8)

Overview

CVE-2026-40492 is a critical (CVSS 9.8) heap buffer overflow vulnerability in SAIL, a cross-platform C library for loading and saving images. The flaw exists in the XWD codec and stems from an internal inconsistency in how pixel format is resolved versus how byte-swapping operations are performed.

Technical Details

The XWD codec resolves a pixel format based on the pixmap_depth field from the file header. However, the byte-swap logic that follows uses bits_per_pixel as an independent value — without verifying that these two values are consistent with each other.

An attacker can craft a malicious XWD image where pixmap_depth and bits_per_pixel disagree. When the codec processes this image:

The pixel format is resolved using pixmap_depth, determining buffer allocation size.
The byte-swap code uses bits_per_pixel, which may reference a wider stride.
The discrepancy causes the byte-swap logic to read or write beyond the allocated buffer, resulting in a heap buffer overflow.

This class of vulnerability can lead to:

Arbitrary code execution — by corrupting adjacent heap metadata or function pointers.
Denial of service — via a process crash when a guard page or allocator detects the overflow.
Memory disclosure — if the overread bytes can be reflected back to the caller.

Affected Versions

All versions of SAIL prior to commit 36aa5c7ec8a2bb35f6fb867a1177a6f141156b02 are vulnerable.

Fix

The fix ensures that both pixmap_depth and bits_per_pixel are validated for consistency before any codec operations proceed. Users should update to a version that includes this commit or later.

# Update SAIL from source
git pull origin master
git checkout 36aa5c7ec8a2bb35f6fb867a1177a6f141156b02
cmake -B build && cmake --build build

Impact Assessment

Factor	Detail
CVSS Score	9.8 (Critical)
Attack Vector	Network (via crafted image file)
Attack Complexity	Low
Privileges Required	None
User Interaction	Required (open a malicious image)
Scope	Unchanged
Confidentiality	High
Integrity	High
Availability	High

Recommendations

Upgrade immediately to a build at or after commit 36aa5c7.
Validate untrusted input — do not pass user-supplied image files directly to SAIL without format validation at the application boundary.
Enable heap hardening — compile with -D_FORTIFY_SOURCE=2 and use address sanitizers in test pipelines to catch similar issues early.
Monitor for exploitation — watch for unexpected crashes in image-processing services, which may indicate active exploitation attempts.

References

Overview

Technical Details

An attacker can craft a malicious XWD image where pixmap_depth and bits_per_pixel disagree. When the codec processes this image:

The pixel format is resolved using pixmap_depth, determining buffer allocation size.
The byte-swap code uses bits_per_pixel, which may reference a wider stride.
The discrepancy causes the byte-swap logic to read or write beyond the allocated buffer, resulting in a heap buffer overflow.

This class of vulnerability can lead to:

Arbitrary code execution — by corrupting adjacent heap metadata or function pointers.
Denial of service — via a process crash when a guard page or allocator detects the overflow.
Memory disclosure — if the overread bytes can be reflected back to the caller.

Affected Versions

All versions of SAIL prior to commit 36aa5c7ec8a2bb35f6fb867a1177a6f141156b02 are vulnerable.

Fix

The fix ensures that both pixmap_depth and bits_per_pixel are validated for consistency before any codec operations proceed. Users should update to a version that includes this commit or later.

# Update SAIL from source
git pull origin master
git checkout 36aa5c7ec8a2bb35f6fb867a1177a6f141156b02
cmake -B build && cmake --build build

Impact Assessment

Factor	Detail
CVSS Score	9.8 (Critical)
Attack Vector	Network (via crafted image file)
Attack Complexity	Low
Privileges Required	None
User Interaction	Required (open a malicious image)
Scope	Unchanged
Confidentiality	High
Integrity	High
Availability	High

Recommendations

Upgrade immediately to a build at or after commit 36aa5c7.
Validate untrusted input — do not pass user-supplied image files directly to SAIL without format validation at the application boundary.
Enable heap hardening — compile with -D_FORTIFY_SOURCE=2 and use address sanitizers in test pipelines to catch similar issues early.
Monitor for exploitation — watch for unexpected crashes in image-processing services, which may indicate active exploitation attempts.

CVE-2026-40492: SAIL XWD Codec Heap Buffer Overflow (CVSS 9.8)

Affected Products

Overview

Technical Details

Affected Versions

Fix

Impact Assessment

Recommendations

References

CVE-2026-40494: SAIL TGA Codec RLE Decoder Asymmetric Bounds Check (CVSS 9.8)

CVE-2026-40493: SAIL PSD Codec Buffer Overflow via channels * depth Miscalculation (CVSS 9.8)

CVE-2026-6518: WordPress CMP Plugin Arbitrary File Upload and Remote Code Execution (CVSS 8.8)

CVE-2026-40492: SAIL XWD Codec Heap Buffer Overflow (CVSS 9.8)

Affected Products

Overview

Technical Details

Affected Versions

Fix

Impact Assessment

Recommendations

References

CVE-2026-40494: SAIL TGA Codec RLE Decoder Asymmetric Bounds Check (CVSS 9.8)

CVE-2026-40493: SAIL PSD Codec Buffer Overflow via channels * depth Miscalculation (CVSS 9.8)

CVE-2026-6518: WordPress CMP Plugin Arbitrary File Upload and Remote Code Execution (CVSS 8.8)