Cyber Resilience

CVE-2026-40494

Critical

Published: 18 April 2026

Published
18 April 2026
Modified
20 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0031 23.0th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-40494 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-40494 is a heap buffer overflow vulnerability (CWE-787) in the SAIL cross-platform image processing library, which supports loading and saving images with animation, metadata, and ICC profiles. The flaw resides in the TGA codec's RLE decoder in tga.c, prior to commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302. While the run-packet path at line 297 correctly clamps the repeat count to the remaining buffer space, the raw-packet path at lines 305-311 lacks an equivalent bounds check, enabling up to 496 bytes of attacker-controlled data to be written past the end of a heap buffer.

The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), making it remotely exploitable over a network with low attack complexity, no privileges or user interaction required. Any unauthenticated attacker can supply a specially crafted TGA image to an application or service using a vulnerable version of SAIL, triggering the buffer overflow during decoding and potentially achieving remote code execution, memory corruption, or denial of service.

Mitigation is provided by commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302, which addresses the missing bounds check in the raw-packet path; see https://github.com/HappySeaFox/sail/commit/45d48d1f2e8e0d73e80bc1fd5310cb57f4547302. Further details, including affected versions and recommendations, are available in the GitHub security advisory at https://github.com/HappySeaFox/sail/security/advisories/GHSA-cp2j-rwh4-r46f. Practitioners should update dependent applications to use the patched SAIL commit or later.

EU & UK References

Vulnerability details

SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302, the TGA codec's RLE decoder in `tga.c` has an asymmetric bounds check vulnerability. The run-packet path (line 297)…

more

correctly clamps the repeat count to the remaining buffer space, but the raw-packet path (line 305-311) has no equivalent bounds check. This allows writing up to 496 bytes of attacker-controlled data past the end of a heap buffer. Commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302 patches the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Heap buffer overflow in image decoding library enables remote unauthenticated RCE via crafted TGA input to vulnerable applications/services, directly mapping to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-27807Shared CWE-787
CVE-2024-48856Shared CWE-787
CVE-2025-14234Shared CWE-787
CVE-2018-25223Shared CWE-787
CVE-2018-25154Shared CWE-787
CVE-2024-57704Shared CWE-787
CVE-2025-29384Shared CWE-787
CVE-2024-12648Shared CWE-787
CVE-2025-30276Shared CWE-787
CVE-2025-25746Shared CWE-787

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the heap buffer overflow by requiring timely remediation through patching vulnerable SAIL library versions to the fixed commit.

prevent

Implements memory protections like ASLR and DEP to prevent exploitation of the heap buffer overflow for remote code execution or corruption.

prevent

Requires validation of input TGA images to reject malformed files that could trigger the raw-packet path buffer overflow in the SAIL decoder.

References