Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L
Lifecycle Timeline
7DescriptionGitHub Advisory
SDL_image is a library to load images of various formats as SDL surfaces. In do_layer_surface() in src/IMG_xcf.c, pixel index values from decoded XCF tile data are used directly as colormap indices without validating them against the colormap size (cm_num). A crafted .xcf file with a small colormap and out-of-range pixel indices causes heap out-of-bounds reads of up to 762 bytes past the colormap allocation. Both IMAGE_INDEXED code paths are affected (bpp=1 and bpp=2). The leaked heap bytes are written into the output surface pixel data, making them potentially observable in the rendered image. This vulnerability is fixed with commit 996bf12888925932daace576e09c3053410896f8.
AnalysisAI
Heap out-of-bounds read in SDL_image library's XCF format parser allows remote information disclosure when processing malicious GIMP files. Attackers can craft .xcf files with undersized colormaps and invalid pixel indices to leak up to 762 bytes of heap memory into rendered image data, potentially exposing sensitive process memory. The vulnerability affects both indexed color code paths (1-bit and 2-bit per pixel). No public exploit identified at time of analysis, but EPSS and exploitation likelihood are notable given the library's widespread use in gaming and multimedia applications requiring minimal user interaction (opening a file).
Technical ContextAI
SDL_image is a widely-used auxiliary library for Simple DirectMedia Layer (SDL) that handles loading various image formats including GIMP's native XCF format. The vulnerability exists in the do_layer_surface() function within src/IMG_xcf.c, specifically in the IMAGE_INDEXED rendering path. When decoding XCF tile data, the code extracts pixel index values and uses them to look up colors in a colormap structure without boundary validation. The colormap size is defined by the cm_num field, but pixel indices from untrusted tile data are applied directly as array offsets. This represents a classic CWE-125 (Out-of-bounds Read) vulnerability. Both bpp=1 and bpp=2 code paths trust pixel indices implicitly, allowing indices >= cm_num to read beyond the allocated colormap buffer. The vulnerable code path is triggered during normal image loading operations when processing indexed-color XCF layers, making it reachable through standard library APIs without requiring special modes or configurations.
RemediationAI
Upstream fix available via commit 996bf12888925932daace576e09c3053410896f8 in the libsdl-org/SDL_image repository; released patched version not independently confirmed from available data. Organizations should monitor the SDL_image release page for tagged versions incorporating this commit and upgrade immediately upon availability. Until a released version is confirmed, development builds can integrate the fix commit directly from source. As an interim mitigation, applications can disable XCF format support if not operationally required by removing or not registering the XCF loader module, though this may break functionality for users expecting GIMP file compatibility. Input validation layers should restrict accepted image formats to trusted types where feasible. Security-conscious deployments should sandbox image processing operations to limit heap disclosure impact. Consult the official advisory at https://github.com/libsdl-org/SDL_image/security/advisories/GHSA-gq8w-x74c-h6p7 for vendor-specific guidance and version recommendations as they become available.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Buffer Overflow
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19527