CVE-2026-35444 - SDL_image has a heap buffer overflow READ via unchecked colormap index in XCF loader
CVE ID :CVE-2026-35444
Published : April 6, 2026, 10:16 p.m. | 2 hours, 51 minutes ago
Description :SDL_image is a library to load images of various formats as SDL surfaces. In do_layer_surface() in src/IMG_xcf.c, pixel index values from decoded XCF tile data are used directly as colormap indices without validating them against the colormap size (cm_num). A crafted .xcf file with a small colormap and out-of-range pixel indices causes heap out-of-bounds reads of up to 762 bytes past the colormap allocation. Both IMAGE_INDEXED code paths are affected (bpp=1 and bpp=2). The leaked heap bytes are written into the output surface pixel data, making them potentially observable in the rendered image. This vulnerability is fixed with commit 996bf12888925932daace576e09c3053410896f8.
Severity: 7.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
Published : April 6, 2026, 10:16 p.m. | 2 hours, 51 minutes ago
Description :SDL_image is a library to load images of various formats as SDL surfaces. In do_layer_surface() in src/IMG_xcf.c, pixel index values from decoded XCF tile data are used directly as colormap indices without validating them against the colormap size (cm_num). A crafted .xcf file with a small colormap and out-of-range pixel indices causes heap out-of-bounds reads of up to 762 bytes past the colormap allocation. Both IMAGE_INDEXED code paths are affected (bpp=1 and bpp=2). The leaked heap bytes are written into the output surface pixel data, making them potentially observable in the rendered image. This vulnerability is fixed with commit 996bf12888925932daace576e09c3053410896f8.
Severity: 7.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...