CVE-2026-42146
Deferred Deferred - Pending Action

Out-of-Memory in CImg Library via Malicious BMP File

Vulnerability report for CVE-2026-42146, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-04

Last updated on: 2026-05-06

Assigner: GitHub, Inc.

Description

CImg Library is a C++ library for image processing. Prior to commit c3aacf5, the nb_colors field read from the BMP file header is used directly to compute an allocation size without validating it against the remaining file size. A crafted BMP file with a large nb_colors value triggers an out-of-memory condition, crashing any application that uses CImg to load untrusted BMP files. This issue has been patched via commit c3aacf5.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-04
Last Modified
2026-05-06
Generated
2026-07-06
AI Q&A
2026-05-05
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-789 The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the CImg Library, a C++ library used for image processing. Before a specific patch, the library used the nb_colors field from the BMP file header directly to calculate memory allocation size without verifying if this value was reasonable compared to the actual file size.

An attacker can craft a BMP file with an artificially large nb_colors value, causing the library to allocate excessive memory. This leads to an out-of-memory condition that crashes any application using CImg to load such untrusted BMP files.

The issue was fixed in a patch that added validation to prevent this improper memory allocation.

Impact Analysis

This vulnerability can cause applications that use the CImg Library to crash when processing specially crafted BMP files. This results in a denial of service (DoS) condition.

If your application processes untrusted BMP images using CImg, an attacker could exploit this flaw to disrupt service availability by triggering out-of-memory crashes.

Mitigation Strategies

To mitigate this vulnerability, ensure that your applications using the CImg Library are updated to include the patch from commit c3aacf5, which validates the nb_colors field against the remaining file size before allocation.

Avoid loading untrusted BMP files with vulnerable versions of the CImg Library to prevent out-of-memory crashes.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42146. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart