CVE-2026-40493
Received Received - Intake
Heap Buffer Overflow in SAIL PSD Codec Causes Memory Corruption

Publication date: 2026-04-18

Last updated on: 2026-04-18

Assigner: GitHub, Inc.

Description
SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit c930284445ea3ff94451ccd7a57c999eca3bc979, the PSD codec computes bytes-per-pixel (`bpp`) from raw header fields `channels * depth`, but the pixel buffer is allocated based on the resolved pixel format. For LAB mode with `channels=3, depth=16`, `bpp = (3*16+7)/8 = 6`, but the format `BPP40_CIE_LAB` allocates only 5 bytes per pixel. Every pixel write overshoots, causing a deterministic heap buffer overflow on every row. Commit c930284445ea3ff94451ccd7a57c999eca3bc979 contains a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-18
Last Modified
2026-04-18
Generated
2026-05-07
AI Q&A
2026-04-18
EPSS Evaluated
2026-05-05
NVD
CVE-2026-40493
EUVD
EUVD-2026-23646
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
happyseaflux sail to c930284445ea3ff94451ccd7a57c999eca3bc979 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the SAIL library, which is used for loading and saving images with support for animation, metadata, and ICC profiles. Specifically, the issue is in the PSD codec where the bytes-per-pixel (bpp) calculation is done incorrectly. It calculates bpp from raw header fields as channels multiplied by depth, but the pixel buffer allocation is based on a resolved pixel format that does not match this calculation.

For LAB mode images with 3 channels and 16-bit depth, the bpp calculation results in 6 bytes per pixel, but the allocated buffer only reserves 5 bytes per pixel. This mismatch causes every pixel write to overflow the allocated buffer, leading to a deterministic heap buffer overflow on every row of the image.

This vulnerability was fixed in commit c930284445ea3ff94451ccd7a57c999eca3bc979.


How can this vulnerability impact me? :

This vulnerability can lead to a heap buffer overflow, which is a serious security issue. An attacker could exploit this overflow to execute arbitrary code, cause a program crash, or trigger a denial of service.

Because the vulnerability is exploitable remotely without any privileges or user interaction (as indicated by the CVSS vector AV:N/AC:L/PR:N/UI:N), it poses a high risk to systems using the vulnerable SAIL library for processing PSD images.

The impact includes complete compromise of confidentiality, integrity, and availability of the affected system, as reflected by the CVSS score of 9.8.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, update the SAIL library to include the patch introduced in commit c930284445ea3ff94451ccd7a57c999eca3bc979, which fixes the heap buffer overflow issue in the PSD codec.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart