{"id":"CVE-2026-40494","summary":"SAIL has heap buffer overflow in TGA RLE decoder — raw packet path missing bounds check","details":"SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302, the TGA codec's RLE decoder in `tga.c` has an asymmetric bounds check vulnerability. The run-packet path (line 297) correctly clamps the repeat count to the remaining buffer space, but the raw-packet path (line 305-311) has no equivalent bounds check. This allows writing up to 496 bytes of attacker-controlled data past the end of a heap buffer. Commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302 patches the issue.","aliases":["GHSA-cp2j-rwh4-r46f"],"modified":"2026-07-08T08:12:34.695762168Z","published":"2026-04-18T01:42:48.830Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40494.json","unresolved_ranges":[{"extracted_events":[{"fixed":"45d48d1f2e8e0d73e80bc1fd5310cb57f4547302"}],"source":"AFFECTED_FIELD"}],"cwe_ids":["CWE-787"],"cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40494.json"},{"type":"ADVISORY","url":"https://github.com/HappySeaFox/sail/security/advisories/GHSA-cp2j-rwh4-r46f"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40494"},{"type":"FIX","url":"https://github.com/HappySeaFox/sail/commit/45d48d1f2e8e0d73e80bc1fd5310cb57f4547302"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/happyseafox/sail","events":[{"introduced":"0"},{"fixed":"45d48d1f2e8e0d73e80bc1fd5310cb57f4547302"}],"database_specific":{"source":"REFERENCES"}}],"versions":["v0.9.10","v0.9.9","v0.9.8","v0.9.7","v0.9.6","v0.9.5","v0.9.4","v0.9.3","v0.9.2","v0.9.1","v0.9.0","v0.9.0-rc3","v0.9.0-rc2","v0.9.0-rc1","v0.9.0-pre23","v0.9.0-pre22","v0.9.0-pre21","v0.9.0-pre20","v0.9.0-pre19","v0.9.0-pre18","v0.9.0-pre17","v0.9.0-pre16","v0.9.0-pre15","v0.9.0-pre14","v0.9.0-pre13","v0.9.0-pre12","v0.9.0-pre11","v0.9.0-pre10","v0.9.0-pre9","v0.9.0-pre8","v0.9.0-pre7","v0.9.0-pre6","v0.9.0-pre5","v0.9.0-pre4","v0.9.0-pre3","v0.9.0-pre2","v0.9.0-pre1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40494.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}