Nixpkgs security tracker
Untriaged
Permalink
CVE-2026-35444
7.1 HIGH
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): NONE
- User interaction (UI): REQUIRED
- Scope (S): UNCHANGED
- Confidentiality impact (C): HIGH
- Integrity impact (I): NONE
- Availability impact (A): LOW
SDL_image has a heap buffer overflow READ via unchecked colormap index in XCF loader
SDL_image is a library to load images of various formats as SDL surfaces. In do_layer_surface() in src/IMG_xcf.c, pixel index values from decoded XCF tile data are used directly as colormap indices without validating them against the colormap size (cm_num). A crafted .xcf file with a small colormap and out-of-range pixel indices causes heap out-of-bounds reads of up to 762 bytes past the colormap allocation. Both IMAGE_INDEXED code paths are affected (bpp=1 and bpp=2). The leaked heap bytes are written into the output surface pixel data, making them potentially observable in the rendered image. This vulnerability is fixed with commit 996bf12888925932daace576e09c3053410896f8.
References
-
https://github.com/libsdl-org/SDL_image/security/advisories/GHSA-gq8w-x74c-h6p7 x_refsource_CONFIRM
Affected products
SDL_image
- ==< 996bf12888925932daace576e09c3053410896f8
Matching in nixpkgs
pkgs.SDL_image
SDL image library
-
nixos-unstable 1.2.12-unstable-2025-11-06
- nixpkgs-unstable 1.2.12-unstable-2025-11-06
- nixos-unstable-small 1.2.12-unstable-2025-11-06
-
nixos-25.11 1.2.12-unstable-2025-11-06
- nixos-25.11-small 1.2.12-unstable-2025-11-06
- nixpkgs-25.11-darwin 1.2.12-unstable-2025-11-06
Package maintainers
-
@pbsds Peder Bergebakken Sundt <pbsds@hotmail.com>
-
@jansol Jan Solanti <jan.solanti@paivola.fi>
-
@marcin-serwin Marcin Serwin <marcin@serwin.dev>
-
@EvysGarden Evy Garden <evysgarden@protonmail.com>
-
@LordGrimmauld Sören Bender <soeren@benjos.de>