CVE-2026-42144 MEDIUM

CVE-2026-42144: CImg Library: Integer overflow in PNM size check bypasses memory guard (_load_pnm)

Vendor Greyclab
Product CImg
Weakness CWE-190
Published May 4, 2026
Last update May 5, 2026

CVSS base score

6.1/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H

What the vulnerability does

01Description

CImg Library is a C++ library for image processing. Prior to commit 4ca26bc, there is an integer overflow vulnerability in the W*H*D size computation inside _load_pnm() that can bypass the memory allocation guard. A crafted PNM/PGM/PPM file with large dimension values causes the overflow to wrap around, allocating an undersized buffer and potentially triggering a heap buffer overflow. Any application using CImg to load untrusted image files is affected. This issue has been patched via commit 4ca26bc.

Key dates

02Disclosure timeline

May 4, 2026 CVE published
May 5, 2026 Record updated