CVE-2026-42146
Deferred Deferred - Pending Action
Out-of-Memory in CImg Library via Malicious BMP File

Publication date: 2026-05-04

Last updated on: 2026-05-06

Assigner: GitHub, Inc.

Description
CImg Library is a C++ library for image processing. Prior to commit c3aacf5, the nb_colors field read from the BMP file header is used directly to compute an allocation size without validating it against the remaining file size. A crafted BMP file with a large nb_colors value triggers an out-of-memory condition, crashing any application that uses CImg to load untrusted BMP files. This issue has been patched via commit c3aacf5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-04
Last Modified
2026-05-06
Generated
2026-06-16
AI Q&A
2026-05-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-42146
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-789 The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the CImg Library, a C++ library used for image processing. Before a specific patch, the library used the nb_colors field from the BMP file header directly to calculate memory allocation size without verifying if this value was reasonable compared to the actual file size.

An attacker can craft a BMP file with an artificially large nb_colors value, causing the library to allocate excessive memory. This leads to an out-of-memory condition that crashes any application using CImg to load such untrusted BMP files.

The issue was fixed in a patch that added validation to prevent this improper memory allocation.

Impact Analysis

This vulnerability can cause applications that use the CImg Library to crash when processing specially crafted BMP files. This results in a denial of service (DoS) condition.

If your application processes untrusted BMP images using CImg, an attacker could exploit this flaw to disrupt service availability by triggering out-of-memory crashes.

Mitigation Strategies

To mitigate this vulnerability, ensure that your applications using the CImg Library are updated to include the patch from commit c3aacf5, which validates the nb_colors field against the remaining file size before allocation.

Avoid loading untrusted BMP files with vulnerable versions of the CImg Library to prevent out-of-memory crashes.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42146. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart