CVE-2026-35444

Name of the Vulnerable Software and Affected Versions SDL image (affected versions not specified)

Description The SDL image library has an issue where pixel index values from decoded XCF tile data are used directly as colormap indices without validation against the colormap size. A crafted .xcf file with a small colormap and out-of-range pixel indices can cause heap out-of-bounds reads of up to 762 bytes past the colormap allocation. Both IMAGE INDEXED code paths are affected (bpp=1 and bpp=2). The leaked heap bytes are written into the output surface pixel data, potentially making them observable in the rendered image.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.