Platform
c
Component
sail
Fixed in
930284445.0.1
CVE-2026-40493 describes a buffer overflow vulnerability discovered in the SAIL image library. This flaw allows attackers to trigger deterministic heap corruption by providing specially crafted PSD (Photoshop Document) images. The vulnerability affects versions 0.1.0 up to commit c930284445ea3ff94451ccd7a57c999eca3bc979, and a fix is available in version 0.3.1.
The buffer overflow occurs within the PSD codec of SAIL when processing images in LAB color mode. The code incorrectly calculates the bytes-per-pixel (bpp) value, leading to an allocation of an insufficient buffer size. Consequently, every pixel write operation overflows the allocated memory, resulting in a deterministic heap corruption. This corruption can be exploited to overwrite critical data structures on the heap, potentially allowing an attacker to execute arbitrary code and gain control of the system. The deterministic nature of the overflow makes exploitation more reliable and predictable.
This vulnerability has not been publicly exploited as of the publication date. It is not currently listed on the CISA KEV catalog. While a public proof-of-concept is not yet available, the deterministic nature of the overflow suggests a relatively low barrier to exploitation. The vulnerability's impact is significant due to the potential for remote code execution.
Exploit Status
EPSS
0.06% (17% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-40493 is to upgrade to SAIL version 0.3.1 or later, which contains the fix for the buffer overflow. If upgrading is not immediately feasible, consider implementing input validation to reject PSD files with specific characteristics (e.g., LAB color mode with channels=3 and depth=16). WAF rules could be configured to block requests containing PSD files with suspicious metadata. Monitor system memory for unexpected heap corruption patterns. After upgrading, confirm the fix by attempting to load a known malicious PSD file and verifying that no crash or unexpected behavior occurs.
Update the SAIL library to version 0.3.1 or later to mitigate the heap buffer overflow. The update corrects an error in the PSD decoder that caused a heap buffer overflow when processing 16-bit LAB images due to a discrepancy in the calculation of bytes per pixel.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-40493 is a critical buffer overflow vulnerability in the SAIL image library affecting versions 0.1.0 through c930284445ea3ff94451ccd7a57c999eca3bc979. Crafted PSD images can trigger heap corruption, potentially leading to remote code execution.
You are affected if your application uses SAIL versions 0.1.0 through c930284445ea3ff94451ccd7a57c999eca3bc979 to process PSD images. Check your dependencies to determine if you are using a vulnerable version.
Upgrade to SAIL version 0.3.1 or later to resolve the buffer overflow vulnerability. If immediate upgrade is not possible, implement input validation to reject suspicious PSD files.
As of the publication date, CVE-2026-40493 is not known to be actively exploited, but the deterministic nature of the overflow suggests a relatively low barrier to exploitation.
Refer to the SAIL project's official website or GitHub repository for the latest security advisories and updates related to CVE-2026-40493.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.