{"id":"CVE-2026-40493","summary":"SAIL has heap buffer overflow in PSD decoder — bpp mismatch in LAB 16-bit mode","details":"SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit c930284445ea3ff94451ccd7a57c999eca3bc979, the PSD codec computes bytes-per-pixel (`bpp`) from raw header fields `channels * depth`, but the pixel buffer is allocated based on the resolved pixel format. For LAB mode with `channels=3, depth=16`, `bpp = (3*16+7)/8 = 6`, but the format `BPP40_CIE_LAB` allocates only 5 bytes per pixel. Every pixel write overshoots, causing a deterministic heap buffer overflow on every row. Commit c930284445ea3ff94451ccd7a57c999eca3bc979 contains a patch.","aliases":["GHSA-rcqx-gc76-r9mv"],"modified":"2026-07-08T08:12:34.695319399Z","published":"2026-04-18T01:41:14.664Z","database_specific":{"cwe_ids":["CWE-787"],"cna_assigner":"GitHub_M","unresolved_ranges":[{"source":"AFFECTED_FIELD","extracted_events":[{"fixed":"c930284445ea3ff94451ccd7a57c999eca3bc979"}]}],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40493.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40493.json"},{"type":"ADVISORY","url":"https://github.com/HappySeaFox/sail/security/advisories/GHSA-rcqx-gc76-r9mv"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40493"},{"type":"FIX","url":"https://github.com/HappySeaFox/sail/commit/c930284445ea3ff94451ccd7a57c999eca3bc979"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/happyseafox/sail","events":[{"introduced":"0"},{"fixed":"c930284445ea3ff94451ccd7a57c999eca3bc979"}],"database_specific":{"source":"REFERENCES"}}],"versions":["v0.9.10","v0.9.9","v0.9.8","v0.9.7","v0.9.6","v0.9.5","v0.9.4","v0.9.3","v0.9.2","v0.9.1","v0.9.0","v0.9.0-rc3","v0.9.0-rc2","v0.9.0-rc1","v0.9.0-pre23","v0.9.0-pre22","v0.9.0-pre21","v0.9.0-pre20","v0.9.0-pre19","v0.9.0-pre18","v0.9.0-pre17","v0.9.0-pre16","v0.9.0-pre15","v0.9.0-pre14","v0.9.0-pre13","v0.9.0-pre12","v0.9.0-pre11","v0.9.0-pre10","v0.9.0-pre9","v0.9.0-pre8","v0.9.0-pre7","v0.9.0-pre6","v0.9.0-pre5","v0.9.0-pre4","v0.9.0-pre3","v0.9.0-pre2","v0.9.0-pre1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40493.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}