CVE-2026-40492
Published: 18 April 2026
Summary
CVE-2026-40492 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely remediation of the specific buffer overflow flaw in the SAIL library's XWD codec by applying the patch in commit 36aa5c7ec8a2bb35f6fb867a1177a6f141156b02.
Enforces memory protection mechanisms such as ASLR, DEP, and stack canaries that directly mitigate exploitation of the out-of-bounds read/write in the byte-swap loop treating 1-byte pixels as uint32_t.
Mandates validation of image inputs to detect and reject malformed XWD files with mismatched pixmap_depth=8 and bits_per_pixel=32 before processing.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote buffer overflow in image library enables RCE via crafted XWD input to public-facing services (T1190) or client applications (T1203).
NVD Description
SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit 36aa5c7ec8a2bb35f6fb867a1177a6f141156b02, the XWD codec resolves pixel format based on `pixmap_depth` but the byte-swap code uses `bits_per_pixel` independently. When `pixmap_depth=8`…
more
(BPP8_INDEXED, 1 byte/pixel buffer) but `bits_per_pixel=32`, the byte-swap loop accesses memory as `uint32_t*`, reading/writing 4x the allocated buffer size. This is a different vulnerability from the previously reported GHSA-3g38-x2pj-mv55 (CVE-2026-27168), which addressed `bytes_per_line` validation. Commit 36aa5c7ec8a2bb35f6fb867a1177a6f141156b02 contains a patch.
Deeper analysisAI
CVE-2026-40492 is a buffer overflow vulnerability in the SAIL library, a cross-platform image loading and saving library supporting animation, metadata, and ICC profiles. The issue affects the XWD codec prior to commit 36aa5c7ec8a2bb35f6fb867a1177a6f141156b02. In this codec, pixel format resolution relies on pixmap_depth, but the byte-swap code independently uses bits_per_pixel. Specifically, when pixmap_depth is 8 (indicating BPP8_INDEXED with a 1-byte-per-pixel buffer) but bits_per_pixel is 32, the byte-swap loop treats the buffer as uint32_t*, resulting in reads and writes extending 4 times beyond the allocated buffer size. This constitutes an out-of-bounds memory access classified under CWE-787 and is distinct from the prior GHSA-3g38-x2pj-mv55 (CVE-2026-27168), which handled bytes_per_line validation.
The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating exploitation over the network with low complexity, no privileges or user interaction required. Any unauthenticated remote attacker can exploit it by supplying a specially crafted XWD image to an application or service using the vulnerable SAIL version. Successful exploitation enables high-impact confidentiality, integrity, and availability violations, such as arbitrary memory read/write operations, potentially leading to remote code execution, data corruption, or denial of service depending on the context and mitigations in the affected application.
The GitHub security advisory GHSA-526v-vm72-4v64 and the referenced commit 36aa5c7ec8a2bb35f6fb867a1177a6f141156b02 detail the patch, which resolves the mismatch in pixel format handling within the XWD codec. Security practitioners should update SAIL to the post-commit version and validate image inputs in applications, especially those processing untrusted XWD files.
Details
- CWE(s)