CVE-2026-35444

EUVD-2026-19527
SDL_image is a library to load images of various formats as SDL surfaces. In do_layer_surface() in src/IMG_xcf.c, pixel index values from decoded XCF tile data are used directly as colormap indices without validating them against the colormap size (cm_num). A crafted .xcf file with a small colormap and out-of-range pixel indices causes heap out-of-bounds reads of up to 762 bytes past the colormap allocation. Both IMAGE_INDEXED code paths are affected (bpp=1 and bpp=2). The leaked heap bytes are written into the output surface pixel data, making them potentially observable in the rendered image. This vulnerability is fixed with commit 996bf12888925932daace576e09c3053410896f8.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.1 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 1%
Affected Products (NVD)
VendorProductVersion
libsdlsdl_image
𝑥
< 2026-04-02
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libsdl2-image
bookworm
no-dsa
bullseye
postponed
forky
2.8.12+dfsg-1
fixed
sid
2.8.12+dfsg-1
fixed
trixie
no-dsa
libsdl3-image
forky
3.4.4+ds-1
fixed
sid
3.4.4+ds-1
fixed
trixie
no-dsa
sdl-image1.2
bookworm
no-dsa
bullseye
postponed
forky
vulnerable
sid
vulnerable
trixie
no-dsa
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libsdl2-image
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
noble
needs-triage
questing
needs-triage
resolute
needs-triage
trusty
needs-triage
xenial
ignored
libsdl3-image
jammy
dne
noble
dne
questing
needs-triage
resolute
needs-triage
sdl-image1.2
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
noble
needs-triage
questing
needs-triage
resolute
needs-triage
trusty
needs-triage
xenial
ignored
Common Weakness Enumeration
References
https://github.com/libsdl-org/SDL_image/security/advisories/GHSA-gq8w-x74c-h6p7