Overview
CVE-2026-40493 is a critical (CVSS 9.8) out-of-bounds write vulnerability in the SAIL image processing library. The flaw lives in the PSD (Photoshop Document) codec and is caused by an undersized buffer allocation due to a miscalculation based on raw header values.
Technical Details
The PSD codec computes bytes_per_pixel (abbreviated bpp) as channels * depth directly from the file header. This calculation is used to determine the size of the pixel data buffer to allocate. However, the actual number of bytes needed during decoding can exceed this estimate when:
- Channel or depth values are inconsistent with the encoded data stream.
- The file contains unusual or malformed combinations of channel count and bit depth.
- The codec writes more data than the buffer can hold during pixel reconstruction.
The result is an out-of-bounds write into heap memory adjacent to the allocated buffer.
Attack Scenario
A threat actor or malicious web server serves a specially crafted .psd file to a target application using SAIL for image processing. When the codec attempts to decode the pixel data, it writes beyond the buffer boundary, allowing:
- Corruption of adjacent heap allocations.
- Overwrite of function pointers or vtable entries in C++ contexts.
- Potential for controlled code execution, depending on allocator layout.
Affected Versions
All versions of SAIL prior to commit c930284445ea3ff94451ccd7a57c999eca3bc979.
Fix
The patch corrects the buffer size calculation by accounting for the actual maximum bytes that the decoder can write, rather than relying solely on the raw channels * depth product from the header. Apply the fix by updating to a build that includes this commit.
git pull origin master
git checkout c930284445ea3ff94451ccd7a57c999eca3bc979
cmake -B build && cmake --build buildImpact Assessment
| Factor | Detail |
|---|---|
| CVSS Score | 9.8 (Critical) |
| Attack Vector | Network (via crafted PSD file) |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | Required (open a malicious image) |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity | High |
| Availability | High |
Recommendations
- Update SAIL to a version at or after commit
c930284. - Restrict PSD file processing to trusted sources only until the patch is applied.
- Fuzz PSD parsing with tools like AFL++ or libFuzzer to detect similar allocation logic errors in related codecs.
- Use memory-safe build flags — compile with AddressSanitizer during development and
-D_FORTIFY_SOURCE=2in production.