CVE-2026-40493

Critical

Published: 18 April 2026

Published

18 April 2026

Modified

20 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0006 17.4th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-40493 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Flaw remediation directly addresses the CVE by applying the patch from commit c930284445ea3ff94451ccd7a57c999eca3bc979 to fix the bytes-per-pixel calculation mismatch in the PSD codec.

SI-10 Information Input Validation good match

prevent

Information input validation requires checking PSD header fields like channels and depth against resolved pixel formats to prevent undersized buffer allocations leading to heap overflows.

SI-16 Memory Protection partial match

prevent

Memory protection safeguards such as address space randomization and non-executable heap memory mitigate exploitation of the heap buffer overflow for arbitrary code execution.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

Heap buffer overflow in image codec enables remote code execution via crafted PSD file processed by vulnerable library; directly maps to exploitation of public-facing apps (T1190) or client applications (T1203) with AV:N/UI:N.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit c930284445ea3ff94451ccd7a57c999eca3bc979, the PSD codec computes bytes-per-pixel (`bpp`) from raw header fields `channels * depth`, but the pixel buffer is…

allocated based on the resolved pixel format. For LAB mode with `channels=3, depth=16`, `bpp = (3*16+7)/8 = 6`, but the format `BPP40_CIE_LAB` allocates only 5 bytes per pixel. Every pixel write overshoots, causing a deterministic heap buffer overflow on every row. Commit c930284445ea3ff94451ccd7a57c999eca3bc979 contains a patch.

Deeper analysisAI

CVE-2026-40493 is a heap buffer overflow vulnerability (CWE-787) affecting the PSD codec in SAIL, a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit c930284445ea3ff94451ccd7a57c999eca3bc979, the codec computes bytes-per-pixel (bpp) from raw header fields as (channels * depth + 7)/8, but allocates the pixel buffer based on the resolved pixel format. For LAB mode with channels=3 and depth=16, this results in bpp=6 while the BPP40_CIE_LAB format allocates only 5 bytes per pixel, causing every pixel write to overshoot and trigger a deterministic heap buffer overflow on every row.

The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), making it remotely exploitable by unauthenticated attackers with low attack complexity and no user interaction required. An attacker can craft a malicious PSD image file that, when processed by an affected SAIL instance, triggers the overflow, potentially enabling arbitrary code execution, confidentiality and integrity violations, or availability impacts such as denial of service.

Mitigation is provided by commit c930284445ea3ff94451ccd7a57c999eca3bc979, which patches the bytes-per-pixel calculation and buffer allocation mismatch. Additional details are available in the GitHub security advisory at https://github.com/HappySeaFox/sail/security/advisories/GHSA-rcqx-gc76-r9mv and the patch commit at https://github.com/HappySeaFox/sail/commit/c930284445ea3ff94451ccd7a57c999eca3bc979.

Details

CWE(s): CWE-787

CVEs Like This One

CVE-2026-40492Shared CWE-787

CVE-2026-31789Shared CWE-787

CVE-2025-69419Shared CWE-787

CVE-2024-53842Shared CWE-787

CVE-2025-21042Shared CWE-787

CVE-2026-27703Shared CWE-787

CVE-2026-21897Shared CWE-787

CVE-2025-29385Shared CWE-787

CVE-2025-36897Shared CWE-787

CVE-2025-43300Shared CWE-787

References

https://github.com/HappySeaFox/sail/commit/c930284445ea3ff94451ccd7a57c999eca3bc979
security-advisories@github.com
https://github.com/HappySeaFox/sail/security/advisories/GHSA-rcqx-gc76-r9mv
security-advisories@github.com