CVE-2026-42146: CWE-789: Memory Allocation with Excessive Size Value in GreycLab CImg
CVE-2026-42146 is a medium severity vulnerability in the CImg C++ image processing library. It involves improper validation of the nb_colors field from BMP file headers, which is used directly to compute memory allocation size. A crafted BMP file with a large nb_colors value can cause an out-of-memory condition, crashing applications that load untrusted BMP files using affected CImg versions. This issue has been fixed in commit c3aacf5b96ac1e54b7af1957c6737dbf3949f6d3.
AI Analysis
Technical Summary
The CImg library prior to commit c3aacf5b96ac1e54b7af1957c6737dbf3949f6d3 reads the nb_colors field from BMP headers without validating it against the remaining file size. This leads to excessive memory allocation requests when processing crafted BMP files, resulting in out-of-memory conditions and application crashes. The vulnerability is tracked as CWE-789 (Memory Allocation with Excessive Size Value) and has a CVSS 3.1 base score of 5.5, reflecting a medium severity denial-of-service impact. The issue is resolved by validating the nb_colors field before allocation in the referenced commit.
Potential Impact
Exploitation of this vulnerability can cause denial of service by crashing applications that use vulnerable versions of CImg to load specially crafted BMP files. There is no indication of confidentiality or integrity impact. No known exploits in the wild have been reported.
Mitigation Recommendations
This vulnerability has been patched in commit c3aacf5b96ac1e54b7af1957c6737dbf3949f6d3. Users of CImg should upgrade to this fixed version or later to remediate the issue. Patch status is confirmed by the vendor commit. No additional mitigations are indicated.
CVE-2026-42146: CWE-789: Memory Allocation with Excessive Size Value in GreycLab CImg
Description
CVE-2026-42146 is a medium severity vulnerability in the CImg C++ image processing library. It involves improper validation of the nb_colors field from BMP file headers, which is used directly to compute memory allocation size. A crafted BMP file with a large nb_colors value can cause an out-of-memory condition, crashing applications that load untrusted BMP files using affected CImg versions. This issue has been fixed in commit c3aacf5b96ac1e54b7af1957c6737dbf3949f6d3.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The CImg library prior to commit c3aacf5b96ac1e54b7af1957c6737dbf3949f6d3 reads the nb_colors field from BMP headers without validating it against the remaining file size. This leads to excessive memory allocation requests when processing crafted BMP files, resulting in out-of-memory conditions and application crashes. The vulnerability is tracked as CWE-789 (Memory Allocation with Excessive Size Value) and has a CVSS 3.1 base score of 5.5, reflecting a medium severity denial-of-service impact. The issue is resolved by validating the nb_colors field before allocation in the referenced commit.
Potential Impact
Exploitation of this vulnerability can cause denial of service by crashing applications that use vulnerable versions of CImg to load specially crafted BMP files. There is no indication of confidentiality or integrity impact. No known exploits in the wild have been reported.
Mitigation Recommendations
This vulnerability has been patched in commit c3aacf5b96ac1e54b7af1957c6737dbf3949f6d3. Users of CImg should upgrade to this fixed version or later to remediate the issue. Patch status is confirmed by the vendor commit. No additional mitigations are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-24T17:15:21.834Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69f8e3e0cbff5d86103e4669
Added to database: 5/4/2026, 6:22:24 PM
Last enriched: 5/4/2026, 6:36:32 PM
Last updated: 5/4/2026, 10:30:30 PM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.