Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged

Permalink CVE-2026-40492

9.8 CRITICAL

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

created 4 days, 20 hours ago Activity log

Created suggestion 4 days, 20 hours ago

SAIL has heap buffer overflow in XWD decoder — bits_per_pixel vs pixmap_depth type confusion in byte-swap

SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit 36aa5c7ec8a2bb35f6fb867a1177a6f141156b02, the XWD codec resolves pixel format based on `pixmap_depth` but the byte-swap code uses `bits_per_pixel` independently. When `pixmap_depth=8` (BPP8_INDEXED, 1 byte/pixel buffer) but `bits_per_pixel=32`, the byte-swap loop accesses memory as `uint32_t*`, reading/writing 4x the allocated buffer size. This is a different vulnerability from the previously reported GHSA-3g38-x2pj-mv55 (CVE-2026-27168), which addressed `bytes_per_line` validation. Commit 36aa5c7ec8a2bb35f6fb867a1177a6f141156b02 contains a patch.

References

https://github.com/HappySeaFox/sail/security/advisories/GHSA-526v-vm72-4v64 x_refsource_CONFIRM
https://github.com/HappySeaFox/sail/commit/36aa5c7ec8a2bb35f6fb867a1177a6f141156b02 x_refsource_MISC

Affected products

sail

==< 36aa5c7ec8a2bb35f6fb867a1177a6f141156b02

Matching in nixpkgs

pkgs.sail

Spark-compatible compute engine built on Apache Arrow and DataFusion

nixos-unstable 0.5.3
- nixpkgs-unstable 0.5.3
- nixos-unstable-small 0.5.3

pkgs.sailsd

Simulator daemon for autonomous sailing boats

nixos-unstable 0.3.0
- nixpkgs-unstable 0.3.0
- nixos-unstable-small 0.3.0
nixos-25.11 0.3.0
- nixos-25.11-small 0.3.0
- nixpkgs-25.11-darwin 0.3.0

pkgs.mainsail

Web interface for managing and controlling 3D printers with Klipper

nixos-unstable 2.17.0
- nixpkgs-unstable 2.17.0
- nixos-unstable-small 2.17.0
nixos-25.11 2.14.0
- nixos-25.11-small 2.14.0
- nixpkgs-25.11-darwin 2.14.0

pkgs.sail-riscv

Formal specification of the RISC-V architecture, written in Sail

nixos-unstable 0.8
- nixpkgs-unstable 0.8
- nixos-unstable-small 0.8
nixos-25.11 0.8
- nixos-25.11-small 0.8
- nixpkgs-25.11-darwin 0.8

pkgs.ocamlPackages.sail

Language for describing the instruction-set architecture (ISA) semantics of processors

nixos-unstable 0.20.1
- nixpkgs-unstable 0.20.1
- nixos-unstable-small 0.20.1
nixos-25.11 0.20
- nixos-25.11-small 0.20
- nixpkgs-25.11-darwin 0.20

pkgs.sailfish-access-control

Thin wrapper on top of pwd.h and grp.h of glibc

nixos-unstable 0.0.12
- nixpkgs-unstable 0.0.12
- nixos-unstable-small 0.0.12
nixos-25.11 0.0.12
- nixos-25.11-small 0.0.12
- nixpkgs-25.11-darwin 0.0.12

pkgs.ocamlPackages_latest.sail

Language for describing the instruction-set architecture (ISA) semantics of processors

nixos-unstable 0.20.1
- nixpkgs-unstable 0.20.1
- nixos-unstable-small 0.20.1

pkgs.haskellPackages.amazonka-lightsail

Amazon Lightsail SDK

nixos-unstable 2.0-unstable-2025-04-16
- nixpkgs-unstable 2.0-unstable-2025-04-16
- nixos-unstable-small 2.0-unstable-2025-04-16
nixos-25.11 2.0-unstable-2025-04-16
- nixos-25.11-small 2.0-unstable-2025-04-16
- nixpkgs-25.11-darwin 2.0-unstable-2025-04-16

pkgs.python312Packages.mypy-boto3-lightsail

Type annotations for boto3 lightsail

nixos-25.11 boto3-lightsail-1.41.0
- nixos-25.11-small boto3-lightsail-1.41.0
- nixpkgs-25.11-darwin boto3-lightsail-1.41.0

pkgs.python313Packages.mypy-boto3-lightsail

Type annotations for boto3 lightsail

nixos-unstable boto3-lightsail-1.42.84
- nixpkgs-unstable boto3-lightsail-1.42.84
- nixos-unstable-small boto3-lightsail-1.42.84
nixos-25.11 boto3-lightsail-1.41.0
- nixos-25.11-small boto3-lightsail-1.41.0
- nixpkgs-25.11-darwin boto3-lightsail-1.41.0

pkgs.python314Packages.mypy-boto3-lightsail

Type annotations for boto3 lightsail

nixos-unstable boto3-lightsail-1.42.84
- nixpkgs-unstable boto3-lightsail-1.42.84
- nixos-unstable-small boto3-lightsail-1.42.84

pkgs.libsForQt5.sailfish-access-control-plugin

QML interface for sailfish-access-control

nixos-unstable 0.0.12
- nixpkgs-unstable 0.0.12
- nixos-unstable-small 0.0.12
nixos-25.11 0.0.12
- nixos-25.11-small 0.0.12
- nixpkgs-25.11-darwin 0.0.12

pkgs.kdePackages.sailfish-access-control-plugin

QML interface for sailfish-access-control

nixos-unstable 0.0.12
- nixpkgs-unstable 0.0.12
- nixos-unstable-small 0.0.12
nixos-25.11 0.0.12
- nixos-25.11-small 0.0.12
- nixpkgs-25.11-darwin 0.0.12

pkgs.qt6Packages.sailfish-access-control-plugin

QML interface for sailfish-access-control

nixos-unstable 0.0.12
- nixpkgs-unstable 0.0.12
- nixos-unstable-small 0.0.12
nixos-25.11 0.0.12
- nixos-25.11-small 0.0.12
- nixpkgs-25.11-darwin 0.0.12

pkgs.python312Packages.types-aiobotocore-lightsail

Type annotations for aiobotocore lightsail

nixos-25.11 2.25.2
- nixos-25.11-small 2.25.2
- nixpkgs-25.11-darwin 2.25.2

pkgs.python313Packages.types-aiobotocore-lightsail

Type annotations for aiobotocore lightsail

nixos-unstable 3.2.1
- nixpkgs-unstable 3.2.1
- nixos-unstable-small 3.2.1
nixos-25.11 2.25.2
- nixos-25.11-small 2.25.2
- nixpkgs-25.11-darwin 2.25.2

pkgs.plasma5Packages.sailfish-access-control-plugin

QML interface for sailfish-access-control

nixos-unstable 0.0.12
- nixpkgs-unstable 0.0.12
- nixos-unstable-small 0.0.12
nixos-25.11 0.0.12
- nixos-25.11-small 0.0.12
- nixpkgs-25.11-darwin 0.0.12

Package maintainers

@OPNA2608 Cosima Neidahl <opna2608@protonmail.com>
@lovesegfault Bernardo Meurer <meurerbernardo@gmail.com>
@Wulfsta Wulfsta <wulfstawulfsta@gmail.com>
@fabaff Fabian Affolter <mail@fabian-affolter.ch>
@davidlghellin David López <hola@devel0pez.com>
@kragniz Louis Taylor <louis@kragniz.eu>
@mbalatsko Maksym Balatsko <mbalatsko@gmail.com>