CVE-2026-40494: CWE-787: Out-of-bounds Write in HappySeaFox sail
SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302, the TGA codec's RLE decoder in `tga.c` has an asymmetric bounds check vulnerability. The run-packet path (line 297) correctly clamps the repeat count to the remaining buffer space, but the raw-packet path (line 305-311) has no equivalent bounds check. This allows writing up to 496 bytes of attacker-controlled data past the end of a heap buffer. Commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302 patches the issue.
AI Analysis
Technical Summary
The HappySeaFox sail library, used for image loading and saving, contained an out-of-bounds write vulnerability (CWE-787) in its TGA codec's RLE decoder. Specifically, the raw-packet decoding path lacked a bounds check on the repeat count, allowing an attacker to write up to 496 bytes beyond the allocated heap buffer. This flaw was corrected in commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302, which added the necessary bounds checking. The vulnerability has a CVSS 3.1 base score of 9.8, reflecting its critical impact on confidentiality, integrity, and availability.
Potential Impact
Successful exploitation of this vulnerability can lead to arbitrary code execution, memory corruption, or denial of service due to heap buffer overflow. The attacker can control up to 496 bytes of data written out-of-bounds, potentially compromising the affected system or application using the vulnerable sail library version prior to the patch commit.
Mitigation Recommendations
A fix is available in commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302, which patches the out-of-bounds write by adding proper bounds checks in the raw-packet path of the TGA codec's RLE decoder. Users should update to this commit or a later version that includes this fix. Since this is not a cloud service, remediation requires updating the affected software. Patch status beyond the commit is not explicitly stated; verify with the vendor or project repository for official releases containing this fix.
CVE-2026-40494: CWE-787: Out-of-bounds Write in HappySeaFox sail
Description
SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302, the TGA codec's RLE decoder in `tga.c` has an asymmetric bounds check vulnerability. The run-packet path (line 297) correctly clamps the repeat count to the remaining buffer space, but the raw-packet path (line 305-311) has no equivalent bounds check. This allows writing up to 496 bytes of attacker-controlled data past the end of a heap buffer. Commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302 patches the issue.
CVSS v3.1
Score 9.8critical
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The HappySeaFox sail library, used for image loading and saving, contained an out-of-bounds write vulnerability (CWE-787) in its TGA codec's RLE decoder. Specifically, the raw-packet decoding path lacked a bounds check on the repeat count, allowing an attacker to write up to 496 bytes beyond the allocated heap buffer. This flaw was corrected in commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302, which added the necessary bounds checking. The vulnerability has a CVSS 3.1 base score of 9.8, reflecting its critical impact on confidentiality, integrity, and availability.
Potential Impact
Successful exploitation of this vulnerability can lead to arbitrary code execution, memory corruption, or denial of service due to heap buffer overflow. The attacker can control up to 496 bytes of data written out-of-bounds, potentially compromising the affected system or application using the vulnerable sail library version prior to the patch commit.
Mitigation Recommendations
A fix is available in commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302, which patches the out-of-bounds write by adding proper bounds checks in the raw-packet path of the TGA codec's RLE decoder. Users should update to this commit or a later version that includes this fix. Since this is not a cloud service, remediation requires updating the affected software. Patch status beyond the commit is not explicitly stated; verify with the vendor or project repository for official releases containing this fix.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-13T19:50:42.115Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e2ee8ebdfbbecc59cda5df
Added to database: 4/18/2026, 2:38:06 AM
Last enriched: 4/25/2026, 2:57:08 AM
Last updated: 6/1/2026, 1:52:59 PM
Views: 100
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.