What is the CVSS score of EUVD-2026-23644?

EUVD-2026-23644 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Sail are affected by EUVD-2026-23644?

CVE-2026-40492 is a critical remote code execution vulnerability in the SAIL image library's XWD codec that allows unauthenticated attackers to execute arbitrary code by sending a malformed image…. A patch is available.

How to fix or mitigate EUVD-2026-23644?

Within 24 hours: inventory all systems and applications using SAIL image library and identify those handling XWD image format; disable XWD codec processing if not essential. Within 7 days: apply vendor patch from commit 36aa5c7ec8a2bb35f6fb867a1177a6f141156b02 or later to all affected systems; verify patch deployment. Within 30 days: conduct code review of any image processing workflows to eliminate unnecessary support for legacy formats like XWD, and implement strict file-type validation on all image upload endpoints.

Sail EUVD-2026-23644

| CVE-2026-40492 CRITICAL

Out-of-bounds Write (CWE-787)

2026-04-18 GitHub_M

Memory Corruption Buffer Overflow Sail

9.8

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch released

Apr 20, 2026 - 18:55 nvd

Patch available

Analysis Updated

Apr 18, 2026 - 03:29 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Apr 18, 2026 - 03:22 vuln.today

cvss_changed

Patch available

Apr 18, 2026 - 03:01 EUVD

Analysis Generated

Apr 18, 2026 - 02:41 vuln.today

EUVD ID Assigned

Apr 18, 2026 - 02:30 euvd

EUVD-2026-23644

Analysis Generated

Apr 18, 2026 - 02:30 vuln.today

CVE Published

Apr 18, 2026 - 01:39 nvd

CRITICAL 9.8

DescriptionGitHub Advisory

SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit 36aa5c7ec8a2bb35f6fb867a1177a6f141156b02, the XWD codec resolves pixel format based on pixmap_depth but the byte-swap code uses bits_per_pixel independently. When pixmap_depth=8 (BPP8_INDEXED, 1 byte/pixel buffer) but bits_per_pixel=32, the byte-swap loop accesses memory as uint32_t*, reading/writing 4x the allocated buffer size. This is a different vulnerability from the previously reported GHSA-3g38-x2pj-mv55 (CVE-2026-27168), which addressed bytes_per_line validation. Commit 36aa5c7ec8a2bb35f6fb867a1177a6f141156b02 contains a patch.

AnalysisAI

Out-of-bounds memory access in SAIL image library's XWD codec allows remote attackers to achieve arbitrary code execution via malformed image files. The vulnerability stems from a pixel format mismatch where buffer allocation uses pixmap_depth=8 (1 byte/pixel) but byte-swap operations use bits_per_pixel=32 (4 bytes/pixel), causing 4x buffer overrun. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Deliver crafted XWD file

Delivery

SAIL parses headers (pixmap_depth=8, bits_per_pixel=32)

Exploit

Allocate 1-byte/pixel buffer

Install

Byte-swap loop accesses as uint32_t*

Write 4x beyond buffer

Execute

Corrupt heap metadata

Impact

Execute arbitrary code

Recon

Deliver crafted XWD file

Delivery

SAIL parses headers (pixmap_depth=8, bits_per_pixel=32)

Exploit

Allocate 1-byte/pixel buffer

Install

Byte-swap loop accesses as uint32_t*

Write 4x beyond buffer

Execute

Corrupt heap metadata

Impact

Execute arbitrary code

Vulnerability AssessmentAI

Exploitation	Exploitation requires the target application to process XWD (X Window Dump) format image files using the vulnerable SAIL library. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	Critical risk for applications parsing untrusted XWD images. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	Attacker crafts a malicious XWD image file with pixmap_depth=8 and bits_per_pixel=32, then delivers it via web upload, email attachment, or API endpoint to an application using SAIL for image processing. When SAIL parses the file, it allocates a 1-byte-per-pixel buffer based on pixmap_depth=8 but processes it as uint32_t (4 bytes) during byte-swapping, writing attacker-controlled data 4x beyond buffer bounds. …
Remediation	Update SAIL library to commit 36aa5c7ec8a2bb35f6fb867a1177a6f141156b02 or later (patch details at https://github.com/HappySeaFox/sail/commit/36aa5c7ec8a2bb35f6fb867a1177a6f141156b02). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: inventory all systems and applications using SAIL image library and identify those handling XWD image format; disable XWD codec processing if not essential. …

Threat intelligence, references, and detailed analysis are available after sign-in.

EUVD-2026-23644 vulnerability details – vuln.today

Back

Sail EUVD-2026-23644

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code