CVE-2026-4367
Received Received - Intake
Out-of-Bounds Read in libXpm XPM File Processing

Publication date: 2026-06-16

Last updated on: 2026-06-16

Assigner: Red Hat, Inc.

Description
A flaw was found in libXpm. A local user with low privileges could exploit an Out-of-Bounds Read vulnerability in the `xpmNextWord()` function by processing a specially crafted or very small XPM (X PixMap) image file. This improper validation of file boundaries can cause an internal pointer to read beyond the file's end, leading to application crashes and Denial of Service conditions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-16
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-06-16
EPSS Evaluated
N/A
NVD
CVE-2026-4367
EUVD
EUVD-2026-37136
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-4367 is an out-of-bounds read vulnerability in the libXpm library, which is part of the X.Org project. It occurs in the xpmNextWord() function during the parsing of XPM (X PixMap) image files.

The vulnerability arises because the xpmNextString() function checks for a NULL terminator when identifying the end of the current string but fails to do so when locating the start of the next string. This flaw allows xpmNextWord() to start reading beyond the actual end of the file.

A local user with low privileges can exploit this by processing a specially crafted or very small XPM image file, causing an internal pointer to read beyond the file's end.

Impact Analysis

Exploiting this vulnerability can cause application crashes and Denial of Service (DoS) conditions in programs that depend on libXpm.

Since the vulnerability involves an out-of-bounds read, it leads to memory read errors but does not affect data confidentiality or integrity.

The attack requires local access with low privileges, meaning an attacker must have some level of access to the system to exploit it.

Detection Guidance

This vulnerability is triggered by processing specially crafted or very small XPM image files that cause an out-of-bounds read in the libXpm library's xpmNextWord() function.

Detection can involve identifying usage of vulnerable libXpm versions (prior to 3.5.19) on your system and monitoring applications that parse XPM files for crashes or Denial of Service symptoms.

You can check the installed libXpm version with commands like:

  • rpm -q libXpm
  • dpkg -l | grep libxpm

Additionally, scanning for suspicious or malformed XPM files on your system or network that could trigger the vulnerability might help detect attempts to exploit it.

Monitoring application logs for crashes related to XPM file processing can also indicate exploitation attempts.

Mitigation Strategies

The primary mitigation step is to update the libXpm library to version 3.5.19 or later, where this vulnerability has been fixed.

Until the update can be applied, avoid processing untrusted or suspicious XPM image files, especially those that are very small or potentially malformed.

Restrict local user access to systems where vulnerable versions of libXpm are installed to reduce the risk of exploitation.

Monitor applications that use libXpm for crashes or Denial of Service conditions and apply any vendor-provided patches or workarounds promptly.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4367. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart