Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
SAIL TGA RLE decoder can write data past a buffer
CVE-2026-40494
Summary
A bug in the SAIL library's TGA image decoder can allow an attacker to write extra data to a memory location. This could potentially lead to security issues if an attacker controls the data being decoded. Update to the latest version of the SAIL library to fix this issue.
Original title
SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302, the TGA codec's RLE ...
Original description
SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302, the TGA codec's RLE decoder in `tga.c` has an asymmetric bounds check vulnerability. The run-packet path (line 297) correctly clamps the repeat count to the remaining buffer space, but the raw-packet path (line 305-311) has no equivalent bounds check. This allows writing up to 496 bytes of attacker-controlled data past the end of a heap buffer. Commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302 patches the issue.
nvd CVSS3.1
9.8
Vulnerability type
CWE-787
Out-of-bounds Write
Published: 18 Apr 2026 · Updated: 18 Apr 2026 · First seen: 18 Apr 2026