CVE-2026-35444 | THREATINT

Description

SDL_image is a library to load images of various formats as SDL surfaces. In do_layer_surface() in src/IMG_xcf.c, pixel index values from decoded XCF tile data are used directly as colormap indices without validating them against the colormap size (cm_num). A crafted .xcf file with a small colormap and out-of-range pixel indices causes heap out-of-bounds reads of up to 762 bytes past the colormap allocation. Both IMAGE_INDEXED code paths are affected (bpp=1 and bpp=2). The leaked heap bytes are written into the output surface pixel data, making them potentially observable in the rendered image. This vulnerability is fixed with commit 996bf12888925932daace576e09c3053410896f8.

PUBLISHED Reserved 2026-04-02 | Published 2026-04-06 | Updated 2026-04-08 | Assigner GitHub_M

HIGH: 7.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L

Problem types

CWE-125: Out-of-bounds Read

Product status

< 996bf12888925932daace576e09c3053410896f8

affected

References

github.com/..._image/security/advisories/GHSA-gq8w-x74c-h6p7

cve.org (CVE-2026-35444)

nvd.nist.gov (CVE-2026-35444)

Download JSON