CVE-2026-35444Out-of-bounds Read in SDL Image

CWE-125Out-of-bounds Read9 documents5 sources
Severity
7.1HIGHNVD
EPSS
0.0%
top 98.57%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Libsdl-org SDL ImageDebian Libsdl2-imageDebian Libsdl3-image+1 more
Timeline
PublishedApr 6
Latest updateApr 7

Description

SDL_image is a library to load images of various formats as SDL surfaces. In do_layer_surface() in src/IMG_xcf.c, pixel index values from decoded XCF tile data are used directly as colormap indices without validating them against the colormap size (cm_num). A crafted .xcf file with a small colormap and out-of-range pixel indices causes heap out-of-bounds reads of up to 762 bytes past the colormap allocation. Both IMAGE_INDEXED code paths are affected (bpp=1 and bpp=2). The leaked heap bytes are

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:LExploitability: 2.8 | Impact: 4.2

Affected Packages4 packages

CVEListV5libsdl-org/sdl_image< 996bf12888925932daace576e09c3053410896f8

🔴Vulnerability Details

1
OSV
CVE-2026-35444: SDL_image is a library to load images of various formats as SDL surfaces2026-04-06

📋Vendor Advisories

1
Debian
CVE-2026-35444: libsdl2-image - SDL_image is a library to load images of various formats as SDL surfaces. In do_...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-35444 Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

5
Bugzilla
CVE-2026-35444 SDL2_image: SDL_image: Information disclosure via crafted XCF files [epel-all]2026-04-07
Bugzilla
CVE-2026-35444 SDL3_image: SDL_image: Information disclosure via crafted XCF files [fedora-all]2026-04-07
Bugzilla
CVE-2026-35444 mingw-SDL2_image: SDL_image: Information disclosure via crafted XCF files [fedora-all]2026-04-07
Bugzilla
CVE-2026-35444 SDL2_image: SDL_image: Information disclosure via crafted XCF files [fedora-all]2026-04-07
Bugzilla
CVE-2026-35444 SDL_image: SDL_image: Information disclosure via crafted XCF files2026-04-06