What is the CVSS score of CVE-2026-40494?

CVE-2026-40494 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Sail are affected by CVE-2026-40494?

SAIL image library versions prior to commit 45d48d1 contain a critical heap buffer overflow in the TGA decoder that enables unauthenticated remote code execution when processing malformed image…. A patch is available.

How to fix or mitigate CVE-2026-40494?

Within 24 hours: Identify all systems and applications using SAIL library versions prior to commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302; isolate or disable TGA file processing on externally-facing services. Within 7 days: Apply vendor patch by updating SAIL to the version containing commit 45d48d1 or later across all affected systems. Within 30 days: Conduct full inventory of SAIL deployments, verify patch deployment completion, and implement file-type validation to restrict TGA processing to trusted sources only.

Sail CVE-2026-40494

EUVD-2026-23648 CRITICAL

Out-of-bounds Write (CWE-787)

2026-04-18 GitHub_M

Memory Corruption Buffer Overflow Sail

9.8

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch released

Apr 20, 2026 - 18:55 nvd

Patch available

Analysis Updated

Apr 18, 2026 - 03:27 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Apr 18, 2026 - 03:22 vuln.today

cvss_changed

Patch available

Apr 18, 2026 - 03:01 EUVD

Analysis Generated

Apr 18, 2026 - 02:41 vuln.today

EUVD ID Assigned

Apr 18, 2026 - 02:30 euvd

EUVD-2026-23648

Analysis Generated

Apr 18, 2026 - 02:30 vuln.today

CVE Published

Apr 18, 2026 - 01:42 nvd

CRITICAL 9.8

DescriptionGitHub Advisory

SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302, the TGA codec's RLE decoder in tga.c has an asymmetric bounds check vulnerability. The run-packet path (line 297) correctly clamps the repeat count to the remaining buffer space, but the raw-packet path (line 305-311) has no equivalent bounds check. This allows writing up to 496 bytes of attacker-controlled data past the end of a heap buffer. Commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302 patches the issue.

AnalysisAI

Heap buffer overflow in SAIL image library's TGA decoder allows remote code execution via malformed RLE-compressed TGA files against all versions prior to commit 45d48d1. Network-accessible applications processing untrusted TGA images can be fully compromised without authentication or user interaction (CVSS 9.8). …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Deliver malicious TGA file

Delivery

Application invokes SAIL TGA decoder

Exploit

Parser allocates undersized heap buffer

Install

RLE raw-packet handler writes 496 bytes past buffer

Overwrite heap metadata/function pointers

Execute

Redirect execution to attacker payload

Impact

Execute arbitrary code in application context

Recon

Deliver malicious TGA file

Delivery

Application invokes SAIL TGA decoder

Exploit

Parser allocates undersized heap buffer

Install

RLE raw-packet handler writes 496 bytes past buffer

Overwrite heap metadata/function pointers

Execute

Redirect execution to attacker payload

Impact

Execute arbitrary code in application context

Vulnerability AssessmentAI

Exploitation	Exploitation requires the target application to invoke SAIL's TGA decoding functionality on attacker-supplied file data. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) reflects accurate real-world risk for applications parsing untrusted TGA files from network sources-web servers processing user uploads, email attachment handlers, or document conversion services. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	Attacker hosts a specially crafted TGA file on a web server or embeds it in a document. When a victim application using SAIL processes this file (via user upload to a web application, email attachment preview, or automated document conversion pipeline), the TGA decoder allocates a heap buffer based on image dimensions. …
Remediation	Update SAIL library to commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302 or any subsequent release incorporating this fix (https://github.com/HappySeaFox/sail/commit/45d48d1f2e8e0d73e80bc1fd5310cb57f4547302). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems and applications using SAIL library versions prior to commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302; isolate or disable TGA file processing on externally-facing services. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-40494 vulnerability details – vuln.today

Back

Sail CVE-2026-40494

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code