Critical Heap Overflow in SAIL Image Library (CVE-2026-40493)

The National Vulnerability Database has disclosed CVE-2026-40493, a critical heap buffer overflow vulnerability in SAIL, a cross-platform library for image loading and saving. This flaw stems from a mismatch in how the PSD codec calculates bytes-per-pixel (bpp) and how the pixel buffer is actually allocated, specifically in LAB mode images. While the calculation for channels=3, depth=16 yields 6 bytes-per-pixel, the BPP40_CIE_LAB format only allocates 5 bytes. This discrepancy leads to a deterministic heap buffer overflow with every pixel write on every row.

This vulnerability, rated 9.8 CVSS (Critical), is a classic CWE-787 issue – Out-of-bounds Write. An attacker could craft a malicious PSD image file, and any application using the vulnerable SAIL library to process this file would be susceptible. The impact is severe, allowing for potential arbitrary code execution, denial of service, or information disclosure. The National Vulnerability Database notes that a patch for this issue is available in commit c930284445ea3ff94451ccd7a57c999eca3bc979.

Defenders need to understand the supply chain implications. If your organization uses any software that incorporates the SAIL library for image processing, you are exposed. Attackers will leverage this to gain initial access or escalate privileges. This isn’t theoretical; this is how breaches start. Identify where SAIL is used in your environment and prioritize patching. If immediate patching isn’t possible, consider restricting the processing of untrusted PSD files.