CVE-2026-40494
Published: 18 April 2026
Summary
CVE-2026-40494 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-40494 is a heap buffer overflow vulnerability (CWE-787) in the SAIL cross-platform image processing library, which supports loading and saving images with animation, metadata, and ICC profiles. The flaw resides in the TGA codec's RLE decoder in tga.c, prior to commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302. While the run-packet path at line 297 correctly clamps the repeat count to the remaining buffer space, the raw-packet path at lines 305-311 lacks an equivalent bounds check, enabling up to 496 bytes of attacker-controlled data to be written past the end of a heap buffer.
The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), making it remotely exploitable over a network with low attack complexity, no privileges or user interaction required. Any unauthenticated attacker can supply a specially crafted TGA image to an application or service using a vulnerable version of SAIL, triggering the buffer overflow during decoding and potentially achieving remote code execution, memory corruption, or denial of service.
Mitigation is provided by commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302, which addresses the missing bounds check in the raw-packet path; see https://github.com/HappySeaFox/sail/commit/45d48d1f2e8e0d73e80bc1fd5310cb57f4547302. Further details, including affected versions and recommendations, are available in the GitHub security advisory at https://github.com/HappySeaFox/sail/security/advisories/GHSA-cp2j-rwh4-r46f. Practitioners should update dependent applications to use the patched SAIL commit or later.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-23648
Vulnerability details
SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302, the TGA codec's RLE decoder in `tga.c` has an asymmetric bounds check vulnerability. The run-packet path (line 297)…
more
correctly clamps the repeat count to the remaining buffer space, but the raw-packet path (line 305-311) has no equivalent bounds check. This allows writing up to 496 bytes of attacker-controlled data past the end of a heap buffer. Commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302 patches the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap buffer overflow in image decoding library enables remote unauthenticated RCE via crafted TGA input to vulnerable applications/services, directly mapping to exploitation of public-facing applications.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the heap buffer overflow by requiring timely remediation through patching vulnerable SAIL library versions to the fixed commit.
Implements memory protections like ASLR and DEP to prevent exploitation of the heap buffer overflow for remote code execution or corruption.
Requires validation of input TGA images to reject malformed files that could trigger the raw-packet path buffer overflow in the SAIL decoder.