CVE-2026-35444
Published: 06 April 2026
Summary
CVE-2026-35444 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Libsdl Sdl Image. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious Image (T1204.003); ranked at the 1.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-35444 is a heap out-of-bounds read vulnerability in the SDL_image library, which loads images of various formats as SDL surfaces. The issue resides in the do_layer_surface() function within src/IMG_xcf.c, where pixel index values from decoded XCF tile data (GIMP's native format) are used directly as colormap indices without validation against the colormap size (cm_num). A crafted .xcf file featuring a small colormap and out-of-range pixel indices triggers reads of up to 762 bytes past the colormap allocation. This affects both IMAGE_INDEXED code paths for bpp=1 and bpp=2, with leaked heap bytes incorporated into the output surface pixel data, potentially visible in the rendered image. The vulnerability is rated 7.1 on the CVSS v3.1 scale (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L) and maps to CWE-125 (Out-of-bounds Read).
An attacker can exploit this vulnerability remotely by providing a malicious .xcf file to a victim, requiring user interaction such as opening or rendering the file in an application using SDL_image. No privileges are needed, and exploitation has low complexity over a network vector. Successful exploitation results in high confidentiality impact through observable heap data leakage embedded in the image pixels, alongside low availability impact from potential crashes, but no integrity impact.
The GitHub Security Advisory at https://github.com/libsdl-org/SDL_image/security/advisories/GHSA-gq8w-x74c-h6p7 details the issue, and the vulnerability is fixed in commit 996bf12888925932daace576e09c3053410896f8. Security practitioners should update SDL_image to a version incorporating this commit and validate image inputs in applications parsing XCF files.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-19527
Vulnerability details
SDL_image is a library to load images of various formats as SDL surfaces. In do_layer_surface() in src/IMG_xcf.c, pixel index values from decoded XCF tile data are used directly as colormap indices without validating them against the colormap size (cm_num). A…
more
crafted .xcf file with a small colormap and out-of-range pixel indices causes heap out-of-bounds reads of up to 762 bytes past the colormap allocation. Both IMAGE_INDEXED code paths are affected (bpp=1 and bpp=2). The leaked heap bytes are written into the output surface pixel data, making them potentially observable in the rendered image. This vulnerability is fixed with commit 996bf12888925932daace576e09c3053410896f8.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is triggered by a user opening or rendering a crafted malicious XCF image file in an application using SDL_image, directly enabling the Malicious Image sub-technique for user execution and information disclosure.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Remediating the specific heap out-of-bounds read flaw in SDL_image by patching to commit 996bf12888925932daace576e09c3053410896f8 directly prevents exploitation via crafted XCF files.
Validating pixel index values from XCF tile data against the colormap size (cm_num) before use as indices comprehensively prevents the out-of-bounds heap reads.
Vulnerability scanning identifies the CVE-2026-35444 flaw in SDL_image deployments, enabling timely remediation to mitigate risks from unpatched libraries.