ubuntu-cve-2026-40494
Vulnerability from osv_ubuntu
Published
2026-04-18 03:16
Modified
2026-05-20 15:27
Summary
Details
SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302, the TGA codec's RLE decoder in tga.c has an asymmetric bounds check vulnerability. The run-packet path (line 297) correctly clamps the repeat count to the remaining buffer space, but the raw-packet path (line 305-311) has no equivalent bounds check. This allows writing up to 496 bytes of attacker-controlled data past the end of a heap buffer. Commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302 patches the issue.
Severity
9.8 (Critical)
N/A (UNKNOWN)
References
{
"affected": [
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "libsail-c++0t64",
"binary_version": "0.9.0+repack-2.1build1"
},
{
"binary_name": "libsail-common0t64",
"binary_version": "0.9.0+repack-2.1build1"
},
{
"binary_name": "libsail-manip0t64",
"binary_version": "0.9.0+repack-2.1build1"
},
{
"binary_name": "libsail0t64",
"binary_version": "0.9.0+repack-2.1build1"
},
{
"binary_name": "sail-codecs",
"binary_version": "0.9.0+repack-2.1build1"
}
]
},
"package": {
"ecosystem": "Ubuntu:24.04:LTS",
"name": "sail",
"purl": "pkg:deb/ubuntu/sail@0.9.0+repack-2.1build1?arch=source\u0026distro=noble"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.9.0+repack-1",
"0.9.0+repack-2",
"0.9.0+repack-2.1",
"0.9.0+repack-2.1build1"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "libsail-c++0t64",
"binary_version": "0.9.9-1"
},
{
"binary_name": "libsail-common0t64",
"binary_version": "0.9.9-1"
},
{
"binary_name": "libsail-manip0t64",
"binary_version": "0.9.9-1"
},
{
"binary_name": "libsail0t64",
"binary_version": "0.9.9-1"
},
{
"binary_name": "sail-codecs",
"binary_version": "0.9.9-1"
}
]
},
"package": {
"ecosystem": "Ubuntu:25.10",
"name": "sail",
"purl": "pkg:deb/ubuntu/sail@0.9.9-1?arch=source\u0026distro=questing"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.9.7-1build1",
"0.9.8-1",
"0.9.9-1"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "libsail-c++0t64",
"binary_version": "0.9.10-1"
},
{
"binary_name": "libsail-common0t64",
"binary_version": "0.9.10-1"
},
{
"binary_name": "libsail-manip0t64",
"binary_version": "0.9.10-1"
},
{
"binary_name": "libsail0t64",
"binary_version": "0.9.10-1"
},
{
"binary_name": "sail-codecs",
"binary_version": "0.9.10-1"
}
]
},
"package": {
"ecosystem": "Ubuntu:26.04:LTS",
"name": "sail",
"purl": "pkg:deb/ubuntu/sail@0.9.10-1?arch=source\u0026distro=resolute"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.9.9-1",
"0.9.10-1"
]
}
],
"aliases": [],
"details": "SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302, the TGA codec\u0027s RLE decoder in `tga.c` has an asymmetric bounds check vulnerability. The run-packet path (line 297) correctly clamps the repeat count to the remaining buffer space, but the raw-packet path (line 305-311) has no equivalent bounds check. This allows writing up to 496 bytes of attacker-controlled data past the end of a heap buffer. Commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302 patches the issue.",
"id": "UBUNTU-CVE-2026-40494",
"modified": "2026-05-20T15:27:26Z",
"published": "2026-04-18T03:16:00Z",
"references": [
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2026-40494"
},
{
"type": "REPORT",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40494"
},
{
"type": "REPORT",
"url": "https://github.com/HappySeaFox/sail/security/advisories/GHSA-cp2j-rwh4-r46f"
}
],
"related": [],
"schema_version": "1.7.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
],
"upstream": [
"CVE-2026-40494"
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…