Overview
CVE-2026-40494 is a critical (CVSS 9.8) heap write-past-end vulnerability in the SAIL image library's TGA codec. The vulnerability resides in the RLE (Run-Length Encoding) decoder within tga.c and is caused by an asymmetric bounds check — one code path is correctly guarded while its counterpart is not.
Technical Details
The TGA RLE decoder handles two distinct packet types:
- Run-packets: A single pixel value repeated N times.
- Literal packets: N consecutive unique pixel values read directly from the stream.
The fix commit message and NVD description confirm that at line 297 of tga.c, the run-packet path includes a correct bounds check before writing pixel data. However, the literal-packet path (the else branch) lacks an equivalent check, allowing the decoder to write pixel data past the end of the allocated output buffer.
Exploitation Mechanics
A crafted TGA file can be constructed to trigger the literal-packet code path with a pixel count that, combined with the current write offset, exceeds the buffer boundary. The decoder proceeds to write N pixels without verifying remaining capacity, resulting in:
- Heap write-past-end — overwriting bytes in adjacent allocations.
- Depending on allocator layout, this may corrupt metadata, function pointers, or other objects.
- In a worst-case scenario, this enables arbitrary code execution within the context of the process loading the image.
This type of asymmetric bounds check flaw is a recurring pattern in hand-rolled image codec parsers where dual code paths diverge over time and one loses its guard.
Affected Versions
All versions of SAIL prior to commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302.
Fix
The patch adds the missing bounds check to the literal-packet branch, ensuring that both code paths validate the remaining buffer capacity before writing any pixel data.
git pull origin master
git checkout 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302
cmake -B build && cmake --build buildImpact Assessment
| Factor | Detail |
|---|---|
| CVSS Score | 9.8 (Critical) |
| Attack Vector | Network (via crafted TGA file) |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | Required (open a malicious image) |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity | High |
| Availability | High |
Recommendations
- Patch immediately — update to a SAIL build at or after commit
45d48d1. - Audit codec symmetry — review all dual-path decoders (run/literal, compressed/uncompressed) in your image processing stack to ensure bounds checks are applied in every branch.
- Fuzz TGA inputs — use property-based or mutation fuzzing targeting RLE boundary conditions in TGA decoding.
- Sandbox image processing — consider running image codec workloads in isolated processes or containers to limit blast radius if exploitation occurs.
Related CVEs in This Batch
These three SAIL library CVEs (CVE-2026-40492, CVE-2026-40493, CVE-2026-40494) were disclosed together and all carry CVSS 9.8. Organizations using SAIL should apply all three patches simultaneously.