{"id":"CVE-2026-40492","summary":"SAIL has heap buffer overflow in XWD decoder — bits_per_pixel vs pixmap_depth type confusion in byte-swap","details":"SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit 36aa5c7ec8a2bb35f6fb867a1177a6f141156b02, the XWD codec resolves pixel format based on `pixmap_depth` but the byte-swap code uses `bits_per_pixel` independently. When `pixmap_depth=8` (BPP8_INDEXED, 1 byte/pixel buffer) but `bits_per_pixel=32`, the byte-swap loop accesses memory as `uint32_t*`, reading/writing 4x the allocated buffer size. This is a different vulnerability from the previously reported GHSA-3g38-x2pj-mv55 (CVE-2026-27168), which addressed `bytes_per_line` validation. Commit 36aa5c7ec8a2bb35f6fb867a1177a6f141156b02 contains a patch.","aliases":["GHSA-526v-vm72-4v64"],"modified":"2026-07-15T01:48:53.613700520Z","published":"2026-04-18T01:39:48.056Z","database_specific":{"cwe_ids":["CWE-787"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40492.json","unresolved_ranges":[{"source":"AFFECTED_FIELD","extracted_events":[{"fixed":"36aa5c7ec8a2bb35f6fb867a1177a6f141156b02"}]}],"cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40492.json"},{"type":"ADVISORY","url":"https://github.com/HappySeaFox/sail/security/advisories/GHSA-526v-vm72-4v64"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40492"},{"type":"FIX","url":"https://github.com/HappySeaFox/sail/commit/36aa5c7ec8a2bb35f6fb867a1177a6f141156b02"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/happyseafox/sail","events":[{"introduced":"0"},{"fixed":"36aa5c7ec8a2bb35f6fb867a1177a6f141156b02"}],"database_specific":{"source":"REFERENCES"}}],"versions":["v0.9.10","v0.9.9","v0.9.8","v0.9.7","v0.9.6","v0.9.5","v0.9.4","v0.9.3","v0.9.2","v0.9.1","v0.9.0","v0.9.0-rc3","v0.9.0-rc2","v0.9.0-rc1","v0.9.0-pre23","v0.9.0-pre22","v0.9.0-pre21","v0.9.0-pre20","v0.9.0-pre19","v0.9.0-pre18","v0.9.0-pre17","v0.9.0-pre16","v0.9.0-pre15","v0.9.0-pre14","v0.9.0-pre13","v0.9.0-pre12","v0.9.0-pre11","v0.9.0-pre10","v0.9.0-pre9","v0.9.0-pre8","v0.9.0-pre7","v0.9.0-pre6","v0.9.0-pre5","v0.9.0-pre4","v0.9.0-pre3","v0.9.0-pre2","v0.9.0-pre1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40492.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}