CVE-2026-35444: CWE-125: Out-of-bounds Read in libsdl-org SDL_image
SDL_image is a library to load images of various formats as SDL surfaces. In do_layer_surface() in src/IMG_xcf.c, pixel index values from decoded XCF tile data are used directly as colormap indices without validating them against the colormap size (cm_num). A crafted .xcf file with a small colormap and out-of-range pixel indices causes heap out-of-bounds reads of up to 762 bytes past the colormap allocation. Both IMAGE_INDEXED code paths are affected (bpp=1 and bpp=2). The leaked heap bytes are written into the output surface pixel data, making them potentially observable in the rendered image. This vulnerability is fixed with commit 996bf12888925932daace576e09c3053410896f8.
AI Analysis
Technical Summary
SDL_image's do_layer_surface() function in src/IMG_xcf.c uses pixel index values from decoded XCF tile data directly as colormap indices without validating them against the colormap size (cm_num). This leads to heap out-of-bounds reads of up to 762 bytes past the colormap allocation when processing crafted .xcf files with small colormaps and out-of-range pixel indices. Both 1-bit and 2-bit per pixel indexed image code paths are affected. The leaked heap bytes are incorporated into the output surface pixel data, potentially exposing memory contents in the rendered image. The vulnerability is fixed in commit 996bf12888925932daace576e09c3053410896f8.
Potential Impact
An attacker can craft a malicious .xcf image file that triggers heap out-of-bounds reads during image loading, causing memory beyond the colormap to be read and included in the rendered image surface. This can lead to information disclosure of heap memory contents. There is no indication of code execution or integrity impact. The vulnerability requires user interaction (loading a crafted image) and network attack vector is possible if image files are processed from untrusted sources.
Mitigation Recommendations
A fix for this vulnerability is available in SDL_image at commit 996bf12888925932daace576e09c3053410896f8. Users and developers should update to this fixed version or later to remediate the issue. Since this is a library vulnerability, ensure that any software using SDL_image is rebuilt or updated accordingly. Patch status is confirmed by the vendor commit fixing the issue.
CVE-2026-35444: CWE-125: Out-of-bounds Read in libsdl-org SDL_image
Description
SDL_image is a library to load images of various formats as SDL surfaces. In do_layer_surface() in src/IMG_xcf.c, pixel index values from decoded XCF tile data are used directly as colormap indices without validating them against the colormap size (cm_num). A crafted .xcf file with a small colormap and out-of-range pixel indices causes heap out-of-bounds reads of up to 762 bytes past the colormap allocation. Both IMAGE_INDEXED code paths are affected (bpp=1 and bpp=2). The leaked heap bytes are written into the output surface pixel data, making them potentially observable in the rendered image. This vulnerability is fixed with commit 996bf12888925932daace576e09c3053410896f8.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
SDL_image's do_layer_surface() function in src/IMG_xcf.c uses pixel index values from decoded XCF tile data directly as colormap indices without validating them against the colormap size (cm_num). This leads to heap out-of-bounds reads of up to 762 bytes past the colormap allocation when processing crafted .xcf files with small colormaps and out-of-range pixel indices. Both 1-bit and 2-bit per pixel indexed image code paths are affected. The leaked heap bytes are incorporated into the output surface pixel data, potentially exposing memory contents in the rendered image. The vulnerability is fixed in commit 996bf12888925932daace576e09c3053410896f8.
Potential Impact
An attacker can craft a malicious .xcf image file that triggers heap out-of-bounds reads during image loading, causing memory beyond the colormap to be read and included in the rendered image surface. This can lead to information disclosure of heap memory contents. There is no indication of code execution or integrity impact. The vulnerability requires user interaction (loading a crafted image) and network attack vector is possible if image files are processed from untrusted sources.
Mitigation Recommendations
A fix for this vulnerability is available in SDL_image at commit 996bf12888925932daace576e09c3053410896f8. Users and developers should update to this fixed version or later to remediate the issue. Since this is a library vulnerability, ensure that any software using SDL_image is rebuilt or updated accordingly. Patch status is confirmed by the vendor commit fixing the issue.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-02T19:25:52.192Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d42d0d0a160ebd92e15bc8
Added to database: 4/6/2026, 10:00:45 PM
Last enriched: 4/14/2026, 3:49:41 PM
Last updated: 5/22/2026, 4:04:11 PM
Views: 54
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.