CVE-2026-42146
CWE-789Published: May 4, 2026· Updated: May 7, 2026
Official Description
CImg Library is a C++ library for image processing. Prior to commit c3aacf5, the nb_colors field read from the BMP file header is used directly to compute an allocation size without validating it against the remaining file size. A crafted BMP file with a large nb_colors value triggers an out-of-memory condition, crashing any application that uses CImg to load untrusted BMP files. This issue has been patched via commit c3aacf5.
Technical Analysis
CVE-2026-42146 requires local access, meaning attackers must already have a foothold on the target system.
Exploitation does not require any privileges, though user interaction (Required) is needed, which slightly reduces the risk of mass automated attacks.
A successful exploit results in availability disruption (denial of service), with a CVSS base score of 5.5.
CVSS v3.1 Vector Breakdown
Exploit & PoC Resources
All References (5)
Quick Facts
Related CVEs (CWE-789)
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2026-42146 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts