Cyber Resilience

CVE-2024-26540

HighPublic PoC

Published: 15 March 2024

Published
15 March 2024
Modified
10 June 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0011 29.6th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-26540 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Cimg Cimg. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 29.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Computer Vision; in the Data-Related Vulnerabilities risk domain; MITRE ATLAS techniques in scope: External Harms (AML.T0048).

EU & UK References

Vulnerability details

A heap-based buffer overflow in Clmg before 3.3.3 can occur via a crafted file to cimg_library::CImg<unsigned char>::_load_analyze.

CWE(s)

AI Security AnalysisAI

AI Category
Computer Vision
Risk Domain
Data-Related Vulnerabilities
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
CImg is a C++ template image processing library commonly used in computer vision applications for image loading, manipulation, and analysis, including medical imaging formats like ANALYZE/NIfTI relevant to AI/CV workflows. The vulnerability in image loading functions aligns with CV software.

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Heap-based buffer overflow in CImg library's _load_analyze function, triggered by crafted ANALYZE/NIFTI file, enables arbitrary code execution via exploitation of client-side image processing software.

MITRE ATLAS TechniquesAI

MITRE ATLAS techniques

AML.T0048: External Harms

Affected Assets

cimg
cimg
≤ 3.3.3

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References