CVE-2026-27168
Heap-Based Buffer Overflow in SAIL XWD Image Parser
Publication date: 2026-02-21
Last updated on: 2026-03-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sail | sail | to 0.9.10 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-27168 is a heap-based buffer overflow vulnerability in the Sail-codecs-xwd package, specifically in the XWD image parser. The vulnerability occurs because the parser reads the bytes_per_line value directly from the XWD file header and uses it as the size parameter in a read operation without validating it against the actual size of the destination buffer.
An attacker can craft a malicious XWD file with an arbitrarily large bytes_per_line value, causing the read operation to write beyond the allocated heap buffer for image pixels. This leads to heap memory corruption, which can be exploited to execute arbitrary code.
The vulnerability requires no privileges or user interaction and can be exploited by an adjacent attacker. It is classified under CWE-122 (Heap-based Buffer Overflow) and has a high severity score (CVSS 8.8).
How can this vulnerability impact me? :
This vulnerability can have severe impacts including corruption of heap memory and potential arbitrary code execution. An attacker exploiting this flaw can gain control over the execution flow of the affected application.
Because the vulnerability requires no privileges or user interaction and can be exploited by an adjacent attacker, it poses a significant security risk.
The impact affects confidentiality, integrity, and availability of the system, all rated as high in the CVSS assessment.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by using a proof-of-concept (PoC) exploit that generates a malicious XWD file with an abnormally large bytes_per_line value (e.g., 60000) to trigger the heap buffer overflow.
When running the vulnerable Sail library compiled with AddressSanitizer (ASAN), the heap-buffer-overflow error will be detected during the read operation of the XWD file.
To detect the vulnerability on your system, you can:
- Compile the Sail library with AddressSanitizer enabled.
- Use the provided PoC Python script to generate a malicious XWD file with a large bytes_per_line value.
- Run the vulnerable application or test code to load the malicious XWD file and observe if ASAN reports a heap-buffer-overflow.
No specific network detection commands are provided, but monitoring for crashes or memory errors when processing XWD files can indicate exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Since there is no fix available at the time of publication, immediate mitigation steps include:
- Avoid processing untrusted or unauthenticated XWD image files with the vulnerable Sail library.
- Implement input validation or filtering to reject XWD files with suspiciously large bytes_per_line values before parsing.
- Use sandboxing or run the image processing in a restricted environment to limit the impact of potential exploitation.
- Monitor for updates or patches from the Sail library maintainers and apply them as soon as they become available.