Nixpkgs security tracker

Untriaged

Permalink CVE-2026-40492

9.8 CRITICAL

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

created 4 days, 19 hours ago Activity log

Created suggestion 4 days, 19 hours ago

SAIL has heap buffer overflow in XWD decoder — bits_per_pixel vs pixmap_depth type confusion in byte-swap

SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit 36aa5c7ec8a2bb35f6fb867a1177a6f141156b02, the XWD codec resolves pixel format based on `pixmap_depth` but the byte-swap code uses `bits_per_pixel` independently. When `pixmap_depth=8` (BPP8_INDEXED, 1 byte/pixel buffer) but `bits_per_pixel=32`, the byte-swap loop accesses memory as `uint32_t*`, reading/writing 4x the allocated buffer size. This is a different vulnerability from the previously reported GHSA-3g38-x2pj-mv55 (CVE-2026-27168), which addressed `bytes_per_line` validation. Commit 36aa5c7ec8a2bb35f6fb867a1177a6f141156b02 contains a patch.

References

https://github.com/HappySeaFox/sail/security/advisories/GHSA-526v-vm72-4v64 x_refsource_CONFIRM
https://github.com/HappySeaFox/sail/commit/36aa5c7ec8a2bb35f6fb867a1177a6f141156b02 x_refsource_MISC

Affected products

sail

==< 36aa5c7ec8a2bb35f6fb867a1177a6f141156b02

Matching in nixpkgs

pkgs.sail

Spark-compatible compute engine built on Apache Arrow and DataFusion

nixos-unstable 0.5.3
- nixpkgs-unstable 0.5.3
- nixos-unstable-small 0.5.3

pkgs.sailsd

Simulator daemon for autonomous sailing boats

nixos-unstable 0.3.0
- nixpkgs-unstable 0.3.0
- nixos-unstable-small 0.3.0
nixos-25.11 0.3.0
- nixos-25.11-small 0.3.0
- nixpkgs-25.11-darwin 0.3.0

pkgs.mainsail

Web interface for managing and controlling 3D printers with Klipper

nixos-unstable 2.17.0
- nixpkgs-unstable 2.17.0
- nixos-unstable-small 2.17.0
nixos-25.11 2.14.0
- nixos-25.11-small 2.14.0
- nixpkgs-25.11-darwin 2.14.0

pkgs.sail-riscv

Formal specification of the RISC-V architecture, written in Sail

nixos-unstable 0.8
- nixpkgs-unstable 0.8
- nixos-unstable-small 0.8
nixos-25.11 0.8
- nixos-25.11-small 0.8
- nixpkgs-25.11-darwin 0.8

pkgs.ocamlPackages.sail

Language for describing the instruction-set architecture (ISA) semantics of processors

nixos-unstable 0.20.1
- nixpkgs-unstable 0.20.1
- nixos-unstable-small 0.20.1
nixos-25.11 0.20
- nixos-25.11-small 0.20
- nixpkgs-25.11-darwin 0.20

pkgs.sailfish-access-control

Thin wrapper on top of pwd.h and grp.h of glibc

nixos-unstable 0.0.12
- nixpkgs-unstable 0.0.12
- nixos-unstable-small 0.0.12
nixos-25.11 0.0.12
- nixos-25.11-small 0.0.12
- nixpkgs-25.11-darwin 0.0.12

pkgs.ocamlPackages_latest.sail

Language for describing the instruction-set architecture (ISA) semantics of processors

nixos-unstable 0.20.1
- nixpkgs-unstable 0.20.1
- nixos-unstable-small 0.20.1

pkgs.haskellPackages.amazonka-lightsail

Amazon Lightsail SDK

nixos-unstable 2.0-unstable-2025-04-16
- nixpkgs-unstable 2.0-unstable-2025-04-16
- nixos-unstable-small 2.0-unstable-2025-04-16
nixos-25.11 2.0-unstable-2025-04-16
- nixos-25.11-small 2.0-unstable-2025-04-16
- nixpkgs-25.11-darwin 2.0-unstable-2025-04-16

pkgs.python312Packages.mypy-boto3-lightsail

Type annotations for boto3 lightsail

nixos-25.11 boto3-lightsail-1.41.0
- nixos-25.11-small boto3-lightsail-1.41.0
- nixpkgs-25.11-darwin boto3-lightsail-1.41.0

pkgs.python313Packages.mypy-boto3-lightsail

Type annotations for boto3 lightsail

nixos-unstable boto3-lightsail-1.42.84
- nixpkgs-unstable boto3-lightsail-1.42.84
- nixos-unstable-small boto3-lightsail-1.42.84
nixos-25.11 boto3-lightsail-1.41.0
- nixos-25.11-small boto3-lightsail-1.41.0
- nixpkgs-25.11-darwin boto3-lightsail-1.41.0

pkgs.python314Packages.mypy-boto3-lightsail

Type annotations for boto3 lightsail

nixos-unstable boto3-lightsail-1.42.84
- nixpkgs-unstable boto3-lightsail-1.42.84
- nixos-unstable-small boto3-lightsail-1.42.84

pkgs.libsForQt5.sailfish-access-control-plugin

QML interface for sailfish-access-control

nixos-unstable 0.0.12
- nixpkgs-unstable 0.0.12
- nixos-unstable-small 0.0.12
nixos-25.11 0.0.12
- nixos-25.11-small 0.0.12
- nixpkgs-25.11-darwin 0.0.12

pkgs.kdePackages.sailfish-access-control-plugin

QML interface for sailfish-access-control

nixos-unstable 0.0.12
- nixpkgs-unstable 0.0.12
- nixos-unstable-small 0.0.12
nixos-25.11 0.0.12
- nixos-25.11-small 0.0.12
- nixpkgs-25.11-darwin 0.0.12

pkgs.qt6Packages.sailfish-access-control-plugin

QML interface for sailfish-access-control

nixos-unstable 0.0.12
- nixpkgs-unstable 0.0.12
- nixos-unstable-small 0.0.12
nixos-25.11 0.0.12
- nixos-25.11-small 0.0.12
- nixpkgs-25.11-darwin 0.0.12

pkgs.python312Packages.types-aiobotocore-lightsail

Type annotations for aiobotocore lightsail

nixos-25.11 2.25.2
- nixos-25.11-small 2.25.2
- nixpkgs-25.11-darwin 2.25.2

pkgs.python313Packages.types-aiobotocore-lightsail

Type annotations for aiobotocore lightsail

nixos-unstable 3.2.1
- nixpkgs-unstable 3.2.1
- nixos-unstable-small 3.2.1
nixos-25.11 2.25.2
- nixos-25.11-small 2.25.2
- nixpkgs-25.11-darwin 2.25.2

pkgs.plasma5Packages.sailfish-access-control-plugin

QML interface for sailfish-access-control

nixos-unstable 0.0.12
- nixpkgs-unstable 0.0.12
- nixos-unstable-small 0.0.12
nixos-25.11 0.0.12
- nixos-25.11-small 0.0.12
- nixpkgs-25.11-darwin 0.0.12

Package maintainers

@OPNA2608 Cosima Neidahl <opna2608@protonmail.com>
@lovesegfault Bernardo Meurer <meurerbernardo@gmail.com>
@Wulfsta Wulfsta <wulfstawulfsta@gmail.com>
@fabaff Fabian Affolter <mail@fabian-affolter.ch>
@davidlghellin David López <hola@devel0pez.com>
@kragniz Louis Taylor <louis@kragniz.eu>
@mbalatsko Maksym Balatsko <mbalatsko@gmail.com>

Untriaged

Permalink CVE-2026-40494

9.8 CRITICAL

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

created 4 days, 19 hours ago Activity log

Created suggestion 4 days, 19 hours ago

SAIL has heap buffer overflow in TGA RLE decoder — raw packet path missing bounds check

SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302, the TGA codec's RLE decoder in `tga.c` has an asymmetric bounds check vulnerability. The run-packet path (line 297) correctly clamps the repeat count to the remaining buffer space, but the raw-packet path (line 305-311) has no equivalent bounds check. This allows writing up to 496 bytes of attacker-controlled data past the end of a heap buffer. Commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302 patches the issue.

References

https://github.com/HappySeaFox/sail/security/advisories/GHSA-cp2j-rwh4-r46f x_refsource_CONFIRM
https://github.com/HappySeaFox/sail/commit/45d48d1f2e8e0d73e80bc1fd5310cb57f4547302 x_refsource_MISC

Affected products

sail

==< 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302

Matching in nixpkgs

pkgs.sail

Spark-compatible compute engine built on Apache Arrow and DataFusion

nixos-unstable 0.5.3
- nixpkgs-unstable 0.5.3
- nixos-unstable-small 0.5.3

pkgs.sailsd

Simulator daemon for autonomous sailing boats

nixos-unstable 0.3.0
- nixpkgs-unstable 0.3.0
- nixos-unstable-small 0.3.0
nixos-25.11 0.3.0
- nixos-25.11-small 0.3.0
- nixpkgs-25.11-darwin 0.3.0

pkgs.mainsail

Web interface for managing and controlling 3D printers with Klipper

nixos-unstable 2.17.0
- nixpkgs-unstable 2.17.0
- nixos-unstable-small 2.17.0
nixos-25.11 2.14.0
- nixos-25.11-small 2.14.0
- nixpkgs-25.11-darwin 2.14.0

pkgs.sail-riscv

Formal specification of the RISC-V architecture, written in Sail

nixos-unstable 0.8
- nixpkgs-unstable 0.8
- nixos-unstable-small 0.8
nixos-25.11 0.8
- nixos-25.11-small 0.8
- nixpkgs-25.11-darwin 0.8

pkgs.ocamlPackages.sail

Language for describing the instruction-set architecture (ISA) semantics of processors

nixos-unstable 0.20.1
- nixpkgs-unstable 0.20.1
- nixos-unstable-small 0.20.1
nixos-25.11 0.20
- nixos-25.11-small 0.20
- nixpkgs-25.11-darwin 0.20

pkgs.sailfish-access-control

Thin wrapper on top of pwd.h and grp.h of glibc

nixos-unstable 0.0.12
- nixpkgs-unstable 0.0.12
- nixos-unstable-small 0.0.12
nixos-25.11 0.0.12
- nixos-25.11-small 0.0.12
- nixpkgs-25.11-darwin 0.0.12

pkgs.ocamlPackages_latest.sail

Language for describing the instruction-set architecture (ISA) semantics of processors

nixos-unstable 0.20.1
- nixpkgs-unstable 0.20.1
- nixos-unstable-small 0.20.1

pkgs.haskellPackages.amazonka-lightsail

Amazon Lightsail SDK

nixos-unstable 2.0-unstable-2025-04-16
- nixpkgs-unstable 2.0-unstable-2025-04-16
- nixos-unstable-small 2.0-unstable-2025-04-16
nixos-25.11 2.0-unstable-2025-04-16
- nixos-25.11-small 2.0-unstable-2025-04-16
- nixpkgs-25.11-darwin 2.0-unstable-2025-04-16

pkgs.python312Packages.mypy-boto3-lightsail

Type annotations for boto3 lightsail

nixos-25.11 boto3-lightsail-1.41.0
- nixos-25.11-small boto3-lightsail-1.41.0
- nixpkgs-25.11-darwin boto3-lightsail-1.41.0

pkgs.python313Packages.mypy-boto3-lightsail

Type annotations for boto3 lightsail

nixos-unstable boto3-lightsail-1.42.84
- nixpkgs-unstable boto3-lightsail-1.42.84
- nixos-unstable-small boto3-lightsail-1.42.84
nixos-25.11 boto3-lightsail-1.41.0
- nixos-25.11-small boto3-lightsail-1.41.0
- nixpkgs-25.11-darwin boto3-lightsail-1.41.0

pkgs.python314Packages.mypy-boto3-lightsail

Type annotations for boto3 lightsail

nixos-unstable boto3-lightsail-1.42.84
- nixpkgs-unstable boto3-lightsail-1.42.84
- nixos-unstable-small boto3-lightsail-1.42.84

pkgs.libsForQt5.sailfish-access-control-plugin

QML interface for sailfish-access-control

nixos-unstable 0.0.12
- nixpkgs-unstable 0.0.12
- nixos-unstable-small 0.0.12
nixos-25.11 0.0.12
- nixos-25.11-small 0.0.12
- nixpkgs-25.11-darwin 0.0.12

pkgs.kdePackages.sailfish-access-control-plugin

QML interface for sailfish-access-control

nixos-unstable 0.0.12
- nixpkgs-unstable 0.0.12
- nixos-unstable-small 0.0.12
nixos-25.11 0.0.12
- nixos-25.11-small 0.0.12
- nixpkgs-25.11-darwin 0.0.12

pkgs.qt6Packages.sailfish-access-control-plugin

QML interface for sailfish-access-control

nixos-unstable 0.0.12
- nixpkgs-unstable 0.0.12
- nixos-unstable-small 0.0.12
nixos-25.11 0.0.12
- nixos-25.11-small 0.0.12
- nixpkgs-25.11-darwin 0.0.12

pkgs.python312Packages.types-aiobotocore-lightsail

Type annotations for aiobotocore lightsail

nixos-25.11 2.25.2
- nixos-25.11-small 2.25.2
- nixpkgs-25.11-darwin 2.25.2

pkgs.python313Packages.types-aiobotocore-lightsail

Type annotations for aiobotocore lightsail

nixos-unstable 3.2.1
- nixpkgs-unstable 3.2.1
- nixos-unstable-small 3.2.1
nixos-25.11 2.25.2
- nixos-25.11-small 2.25.2
- nixpkgs-25.11-darwin 2.25.2

pkgs.plasma5Packages.sailfish-access-control-plugin

QML interface for sailfish-access-control

nixos-unstable 0.0.12
- nixpkgs-unstable 0.0.12
- nixos-unstable-small 0.0.12
nixos-25.11 0.0.12
- nixos-25.11-small 0.0.12
- nixpkgs-25.11-darwin 0.0.12

Package maintainers

@OPNA2608 Cosima Neidahl <opna2608@protonmail.com>
@lovesegfault Bernardo Meurer <meurerbernardo@gmail.com>
@Wulfsta Wulfsta <wulfstawulfsta@gmail.com>
@fabaff Fabian Affolter <mail@fabian-affolter.ch>
@davidlghellin David López <hola@devel0pez.com>
@kragniz Louis Taylor <louis@kragniz.eu>
@mbalatsko Maksym Balatsko <mbalatsko@gmail.com>

Untriaged

Permalink CVE-2026-40493

9.8 CRITICAL

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

created 4 days, 19 hours ago Activity log

Created suggestion 4 days, 19 hours ago

SAIL has heap buffer overflow in PSD decoder — bpp mismatch in LAB 16-bit mode

SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit c930284445ea3ff94451ccd7a57c999eca3bc979, the PSD codec computes bytes-per-pixel (`bpp`) from raw header fields `channels * depth`, but the pixel buffer is allocated based on the resolved pixel format. For LAB mode with `channels=3, depth=16`, `bpp = (3*16+7)/8 = 6`, but the format `BPP40_CIE_LAB` allocates only 5 bytes per pixel. Every pixel write overshoots, causing a deterministic heap buffer overflow on every row. Commit c930284445ea3ff94451ccd7a57c999eca3bc979 contains a patch.

References

https://github.com/HappySeaFox/sail/security/advisories/GHSA-rcqx-gc76-r9mv x_refsource_CONFIRM
https://github.com/HappySeaFox/sail/commit/c930284445ea3ff94451ccd7a57c999eca3bc979 x_refsource_MISC

Affected products

sail

==< c930284445ea3ff94451ccd7a57c999eca3bc979

Matching in nixpkgs

pkgs.sail

Spark-compatible compute engine built on Apache Arrow and DataFusion

nixos-unstable 0.5.3
- nixpkgs-unstable 0.5.3
- nixos-unstable-small 0.5.3

pkgs.sailsd

Simulator daemon for autonomous sailing boats

nixos-unstable 0.3.0
- nixpkgs-unstable 0.3.0
- nixos-unstable-small 0.3.0
nixos-25.11 0.3.0
- nixos-25.11-small 0.3.0
- nixpkgs-25.11-darwin 0.3.0

pkgs.mainsail

Web interface for managing and controlling 3D printers with Klipper

nixos-unstable 2.17.0
- nixpkgs-unstable 2.17.0
- nixos-unstable-small 2.17.0
nixos-25.11 2.14.0
- nixos-25.11-small 2.14.0
- nixpkgs-25.11-darwin 2.14.0

pkgs.sail-riscv

Formal specification of the RISC-V architecture, written in Sail

nixos-unstable 0.8
- nixpkgs-unstable 0.8
- nixos-unstable-small 0.8
nixos-25.11 0.8
- nixos-25.11-small 0.8
- nixpkgs-25.11-darwin 0.8

pkgs.ocamlPackages.sail

Language for describing the instruction-set architecture (ISA) semantics of processors

nixos-unstable 0.20.1
- nixpkgs-unstable 0.20.1
- nixos-unstable-small 0.20.1
nixos-25.11 0.20
- nixos-25.11-small 0.20
- nixpkgs-25.11-darwin 0.20

pkgs.sailfish-access-control

Thin wrapper on top of pwd.h and grp.h of glibc

nixos-unstable 0.0.12
- nixpkgs-unstable 0.0.12
- nixos-unstable-small 0.0.12
nixos-25.11 0.0.12
- nixos-25.11-small 0.0.12
- nixpkgs-25.11-darwin 0.0.12

pkgs.ocamlPackages_latest.sail

Language for describing the instruction-set architecture (ISA) semantics of processors

nixos-unstable 0.20.1
- nixpkgs-unstable 0.20.1
- nixos-unstable-small 0.20.1

pkgs.haskellPackages.amazonka-lightsail

Amazon Lightsail SDK

nixos-unstable 2.0-unstable-2025-04-16
- nixpkgs-unstable 2.0-unstable-2025-04-16
- nixos-unstable-small 2.0-unstable-2025-04-16
nixos-25.11 2.0-unstable-2025-04-16
- nixos-25.11-small 2.0-unstable-2025-04-16
- nixpkgs-25.11-darwin 2.0-unstable-2025-04-16

pkgs.python312Packages.mypy-boto3-lightsail

Type annotations for boto3 lightsail

nixos-25.11 boto3-lightsail-1.41.0
- nixos-25.11-small boto3-lightsail-1.41.0
- nixpkgs-25.11-darwin boto3-lightsail-1.41.0

pkgs.python313Packages.mypy-boto3-lightsail

Type annotations for boto3 lightsail

nixos-unstable boto3-lightsail-1.42.84
- nixpkgs-unstable boto3-lightsail-1.42.84
- nixos-unstable-small boto3-lightsail-1.42.84
nixos-25.11 boto3-lightsail-1.41.0
- nixos-25.11-small boto3-lightsail-1.41.0
- nixpkgs-25.11-darwin boto3-lightsail-1.41.0

pkgs.python314Packages.mypy-boto3-lightsail

Type annotations for boto3 lightsail

nixos-unstable boto3-lightsail-1.42.84
- nixpkgs-unstable boto3-lightsail-1.42.84
- nixos-unstable-small boto3-lightsail-1.42.84

pkgs.libsForQt5.sailfish-access-control-plugin

QML interface for sailfish-access-control

nixos-unstable 0.0.12
- nixpkgs-unstable 0.0.12
- nixos-unstable-small 0.0.12
nixos-25.11 0.0.12
- nixos-25.11-small 0.0.12
- nixpkgs-25.11-darwin 0.0.12

pkgs.kdePackages.sailfish-access-control-plugin

QML interface for sailfish-access-control

nixos-unstable 0.0.12
- nixpkgs-unstable 0.0.12
- nixos-unstable-small 0.0.12
nixos-25.11 0.0.12
- nixos-25.11-small 0.0.12
- nixpkgs-25.11-darwin 0.0.12

pkgs.qt6Packages.sailfish-access-control-plugin

QML interface for sailfish-access-control

nixos-unstable 0.0.12
- nixpkgs-unstable 0.0.12
- nixos-unstable-small 0.0.12
nixos-25.11 0.0.12
- nixos-25.11-small 0.0.12
- nixpkgs-25.11-darwin 0.0.12

pkgs.python312Packages.types-aiobotocore-lightsail

Type annotations for aiobotocore lightsail

nixos-25.11 2.25.2
- nixos-25.11-small 2.25.2
- nixpkgs-25.11-darwin 2.25.2

pkgs.python313Packages.types-aiobotocore-lightsail

Type annotations for aiobotocore lightsail

nixos-unstable 3.2.1
- nixpkgs-unstable 3.2.1
- nixos-unstable-small 3.2.1
nixos-25.11 2.25.2
- nixos-25.11-small 2.25.2
- nixpkgs-25.11-darwin 2.25.2

pkgs.plasma5Packages.sailfish-access-control-plugin

QML interface for sailfish-access-control

nixos-unstable 0.0.12
- nixpkgs-unstable 0.0.12
- nixos-unstable-small 0.0.12
nixos-25.11 0.0.12
- nixos-25.11-small 0.0.12
- nixpkgs-25.11-darwin 0.0.12

Package maintainers

@OPNA2608 Cosima Neidahl <opna2608@protonmail.com>
@lovesegfault Bernardo Meurer <meurerbernardo@gmail.com>
@Wulfsta Wulfsta <wulfstawulfsta@gmail.com>
@fabaff Fabian Affolter <mail@fabian-affolter.ch>
@davidlghellin David López <hola@devel0pez.com>
@kragniz Louis Taylor <louis@kragniz.eu>
@mbalatsko Maksym Balatsko <mbalatsko@gmail.com>

Untriaged

Permalink CVE-2026-27168

8.8 HIGH

CVSS version: 3.1
Attack vector (AV): ADJACENT_NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

created 2 months ago Activity log

Created suggestion 2 months ago

SAIL: Heap-based Buffer Overflow in Sail-codecs-xwd

SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. All versions are vulnerable to Heap-based Buffer Overflow through the XWD parser's use of the bytes_per_line value. The value os read directly from the file as the read size in io->strict_read(), and is never compared to the actual size of the destination buffer. An attacker can provide an XWD file with an arbitrarily large bytes_per_line, causing a massive write operation beyond the buffer heap allocated for the image pixels. The issue did not have a fix at the time of publication.