CVE-2026-27168
Published: 21 February 2026
Summary
CVE-2026-27168 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Sail Sail. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of information inputs like bytes_per_line against destination buffer sizes to prevent heap buffer overflows in the XWD parser.
Directly mandates identification, reporting, and correction of flaws like this unpatched heap buffer overflow in the SAIL library.
Implements memory safeguards such as heap protections to mitigate unauthorized writes from buffer overflows even if input validation fails.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap overflow in image parser directly enables RCE via malicious XWD file against apps using SAIL (T1190/T1203 client/server exploitation or T1204.002 malicious file delivery); AV:A/UI:N fits automated processing contexts.
NVD Description
SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. All versions are vulnerable to Heap-based Buffer Overflow through the XWD parser's use of the bytes_per_line value. The value os read directly…
more
from the file as the read size in io->strict_read(), and is never compared to the actual size of the destination buffer. An attacker can provide an XWD file with an arbitrarily large bytes_per_line, causing a massive write operation beyond the buffer heap allocated for the image pixels. The issue did not have a fix at the time of publication.
Deeper analysisAI
CVE-2026-27168 is a heap-based buffer overflow vulnerability affecting all versions of SAIL, a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. The issue arises in the XWD parser, where the bytes_per_line value is read directly from the file and used as the read size in io->strict_read() without any comparison to the size of the destination buffer allocated for image pixels.
An attacker can exploit this vulnerability by providing a malicious XWD file with an arbitrarily large bytes_per_line value, triggering a massive write operation that overflows the heap buffer. The CVSS v3.1 base score of 8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) indicates that exploitation requires adjacent network access, is low complexity, needs no privileges or user interaction, and can result in high impacts to confidentiality, integrity, and availability, associated with CWE-122.
The GitHub Security Advisory at https://github.com/HappySeaFox/sail/security/advisories/GHSA-3g38-x2pj-mv55 provides additional details. At the time of publication on 2026-02-21T00:16:16.640, no fix was available for the vulnerability.
Details
- CWE(s)