Is Memory Corruption affected by EUVD-2026-23644?

CVE-2026-40492 is a critical remote code execution vulnerability in the SAIL image library's XWD codec that allows unauthenticated attackers to execute arbitrary code by sending a malformed image file to any system processing XWD images.

EUVD-2026-23644

| CVE-2026-40492 CRITICAL

2026-04-18 GitHub_M

Memory Corruption Buffer Overflow

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 18, 2026 - 03:29 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Apr 18, 2026 - 03:22 vuln.today

cvss_changed

patch_available

Apr 18, 2026 - 03:01 EUVD

Analysis Generated

Apr 18, 2026 - 02:41 vuln.today

DescriptionNVD

SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit 36aa5c7ec8a2bb35f6fb867a1177a6f141156b02, the XWD codec resolves pixel format based on pixmap_depth but the byte-swap code uses bits_per_pixel independently. When pixmap_depth=8 (BPP8_INDEXED, 1 byte/pixel buffer) but bits_per_pixel=32, the byte-swap loop accesses memory as uint32_t*, reading/writing 4x the allocated buffer size. This is a different vulnerability from the previously reported GHSA-3g38-x2pj-mv55 (CVE-2026-27168), which addressed bytes_per_line validation. Commit 36aa5c7ec8a2bb35f6fb867a1177a6f141156b02 contains a patch.

AnalysisAI

Out-of-bounds memory access in SAIL image library's XWD codec allows remote attackers to achieve arbitrary code execution via malformed image files. The vulnerability stems from a pixel format mismatch where buffer allocation uses pixmap_depth=8 (1 byte/pixel) but byte-swap operations use bits_per_pixel=32 (4 bytes/pixel), causing 4x buffer overrun. …

RemediationAI

Within 24 hours: inventory all systems and applications using SAIL image library and identify those handling XWD image format; disable XWD codec processing if not essential. Within 7 days: apply vendor patch from commit 36aa5c7ec8a2bb35f6fb867a1177a6f141156b02 or later to all affected systems; verify patch deployment. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

EUVD-2026-23644 vulnerability details – vuln.today

Back

EUVD-2026-23644

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code