Skip to main content

CImg Library CVE-2026-42146

| EUVDEUVD-2026-27077 MEDIUM
Memory Allocation with Excessive Size Value (CWE-789)
2026-05-04 security-advisories@github.com
5.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Source Code Evidence Fetched
May 04, 2026 - 18:30 vuln.today
Analysis Generated
May 04, 2026 - 18:30 vuln.today
Analysis Generated
May 04, 2026 - 18:22 vuln.today
CVE Published
May 04, 2026 - 18:16 nvd
MEDIUM 5.5

DescriptionGitHub Advisory

CImg Library is a C++ library for image processing. Prior to commit c3aacf5, the nb_colors field read from the BMP file header is used directly to compute an allocation size without validating it against the remaining file size. A crafted BMP file with a large nb_colors value triggers an out-of-memory condition, crashing any application that uses CImg to load untrusted BMP files. This issue has been patched via commit c3aacf5.

AnalysisAI

Denial of service in CImg Library prior to version 3.7.5 allows local attackers to crash applications via crafted BMP files with oversized nb_colors header fields. The vulnerability stems from unchecked allocation of memory based on user-supplied file header data, causing out-of-memory conditions when loading untrusted BMP files. No authentication or network access required; user interaction (file opening) is the sole prerequisite.

Technical ContextAI

CImg is a C++ header-only library for image processing and manipulation. The vulnerability exists in BMP file parsing code within CImg.h, specifically in the image loading routine that reads the BMP color palette header field (nb_colors). The library uses this value directly to allocate memory for the palette without validating it against either the declared bits-per-pixel (bpp) or the remaining file size. For bpp values less than 16, the maximum valid palette size should be 2^bpp colors; the patch enforces this constraint. The root cause is CWE-789 (Memory Allocation with Excessive Size Value), where untrusted input directly determines allocation size without bounds checking.

RemediationAI

Upgrade to CImg Library version 3.7.5 or later, which includes the fix from commit c3aacf5b96ac1e54b7af1957c6737dbf3949f6d3. For applications embedding CImg.h as a header-only library, update the CImg.h file from the CImg GitHub repository (https://github.com/GreycLab/CImg/releases/tag/v.3.7.5). If immediate upgrade is not feasible, implement input validation at the application layer: reject BMP files with nb_colors values exceeding the theoretical maximum (2^bpp for bpp < 16) or larger than the declared file size. Additionally, consider sandboxing or rate-limiting image processing operations to mitigate resource exhaustion impact. Note that disabling BMP format support entirely eliminates the attack surface but may impact feature completeness.

Share

CVE-2026-42146 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy