Platform
c
Component
sdl_image
Fixed in
996.0.1
CVE-2026-35444 describes a buffer overflow vulnerability within SDLimage, a library used for loading images in various formats. This flaw arises from improper validation of pixel index values when processing XCF image files, leading to potential information disclosure. The vulnerability affects versions of SDLimage up to 996bf12888925932daace576e09c3053410896f8, and a fix is available in version 2.0.6.
An attacker can exploit this vulnerability by crafting a malicious XCF image file. When SDLimage attempts to decode this file, the out-of-bounds read allows the attacker to potentially leak up to 762 bytes of heap memory. This leaked data, written into the output surface pixel data, could be observable in the rendered image, potentially revealing sensitive information. While direct code execution is unlikely, the information disclosure could be a stepping stone for further attacks, particularly in applications that rely on SDLimage to display user-provided images. The impact is amplified in scenarios where the application processes untrusted image data without proper sanitization.
This CVE has been publicly disclosed. As of the current date, there are no known public exploits or active campaigns targeting this vulnerability. It is not currently listed on the CISA KEV catalog. The CVSS score of 7.1 (HIGH) indicates a significant potential for exploitation if an attacker gains access to a vulnerable system and can provide a malicious XCF file.
Exploit Status
EPSS
0.01% (3% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade to SDL_image version 2.0.6 or later, which contains the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing input validation to restrict the types of image files processed by the application. Specifically, validate the XCF file format and its contents before attempting to decode it. WAFs or proxies can be configured to block requests containing potentially malicious XCF files, although this is a less robust solution. Monitor application logs for unusual memory access patterns or errors related to image decoding, which could indicate exploitation attempts. After upgrading, confirm the fix by attempting to load a known malicious XCF file and verifying that the out-of-bounds read no longer occurs.
Update to version 2.0.6 or later to mitigate the heap buffer overflow. This update corrects the colormap index validation, preventing out-of-bounds memory access.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-35444 is a buffer overflow vulnerability in SDL_image, affecting versions up to 996bf12888925932daace576e09c3053410896f8. It allows attackers to potentially leak heap memory by crafting malicious XCF image files.
You are affected if you are using SDLimage version 996bf12888925932daace576e09c3053410896f8 or earlier. Check your SDLimage version and upgrade if necessary.
Upgrade to SDL_image version 2.0.6 or later to resolve the vulnerability. If upgrading is not possible, implement input validation to restrict the processing of XCF files.
As of now, there are no known public exploits or active campaigns targeting CVE-2026-35444, but the vulnerability poses a significant risk.
Refer to the official SDL_image project website and security advisories for updates and further information regarding CVE-2026-35444.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.