Is Memory Corruption affected by CVE-2026-40494?

SAIL image library versions prior to commit 45d48d1 contain a critical heap buffer overflow in the TGA decoder that enables unauthenticated remote code execution when processing malformed image files.

CVE-2026-40494

EUVD-2026-23648 CRITICAL

2026-04-18 GitHub_M

Memory Corruption Buffer Overflow

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 18, 2026 - 03:27 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Apr 18, 2026 - 03:22 vuln.today

cvss_changed

patch_available

Apr 18, 2026 - 03:01 EUVD

Analysis Generated

Apr 18, 2026 - 02:41 vuln.today

DescriptionNVD

SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302, the TGA codec's RLE decoder in tga.c has an asymmetric bounds check vulnerability. The run-packet path (line 297) correctly clamps the repeat count to the remaining buffer space, but the raw-packet path (line 305-311) has no equivalent bounds check. This allows writing up to 496 bytes of attacker-controlled data past the end of a heap buffer. Commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302 patches the issue.

AnalysisAI

Heap buffer overflow in SAIL image library's TGA decoder allows remote code execution via malformed RLE-compressed TGA files against all versions prior to commit 45d48d1. Network-accessible applications processing untrusted TGA images can be fully compromised without authentication or user interaction (CVSS 9.8). …

RemediationAI

Within 24 hours: Identify all systems and applications using SAIL library versions prior to commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302; isolate or disable TGA file processing on externally-facing services. Within 7 days: Apply vendor patch by updating SAIL to the version containing commit 45d48d1 or later across all affected systems. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-40494 vulnerability details – vuln.today

Back

CVE-2026-40494

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code