CVE-2026-35444
Received Received - Intake
Heap Out-of-Bounds Read in SDL_image XCF Colormap Handling

Publication date: 2026-04-06

Last updated on: 2026-04-16

Assigner: GitHub, Inc.

Description
SDL_image is a library to load images of various formats as SDL surfaces. In do_layer_surface() in src/IMG_xcf.c, pixel index values from decoded XCF tile data are used directly as colormap indices without validating them against the colormap size (cm_num). A crafted .xcf file with a small colormap and out-of-range pixel indices causes heap out-of-bounds reads of up to 762 bytes past the colormap allocation. Both IMAGE_INDEXED code paths are affected (bpp=1 and bpp=2). The leaked heap bytes are written into the output surface pixel data, making them potentially observable in the rendered image. This vulnerability is fixed with commit 996bf12888925932daace576e09c3053410896f8.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-06
Last Modified
2026-04-16
Generated
2026-05-07
AI Q&A
2026-04-07
EPSS Evaluated
2026-05-05
NVD
CVE-2026-35444
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
libsdl sdl_image to 2026-04-02 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the SDL_image library, specifically in the function do_layer_surface() within the src/IMG_xcf.c file. The issue arises because pixel index values from decoded XCF tile data are used directly as colormap indices without checking if they are within the valid range of the colormap size.

If a specially crafted .xcf file contains a small colormap but includes pixel indices that are out-of-range, it causes the program to read beyond the allocated heap memory by up to 762 bytes. This results in heap out-of-bounds reads.

The leaked heap bytes are then written into the output surface pixel data, which means that these unintended bytes could be visible in the rendered image. Both indexed image code paths (with bits per pixel equal to 1 and 2) are affected.


How can this vulnerability impact me? :

This vulnerability can lead to the exposure of unintended memory contents through the rendered image, potentially leaking sensitive information stored in heap memory.

Additionally, the heap out-of-bounds read could cause application instability or crashes, leading to denial of service.

Since the vulnerability can be triggered by opening a crafted .xcf file, any application using SDL_image to process such files without the fix is at risk.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, update SDL_image to a version that includes the fix from commit 996bf12888925932daace576e09c3053410896f8.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart