CVE-2026-42144 Overview
CVE-2026-42144 is an integer overflow vulnerability in the CImg Library, a C++ header-only library for image processing. The flaw resides in the _load_pnm() function, where the W*H*D size computation can wrap around when processing crafted PNM, PGM, or PPM files with large dimension values. The overflow bypasses the existing memory allocation guard, resulting in an undersized buffer allocation that can trigger a heap buffer overflow during image loading. Any application that uses CImg to parse untrusted image files is affected. Maintainers patched the issue in commit 4ca26bc, which is included in CImg release v3.7.5.
Critical Impact
A crafted PNM/PGM/PPM file can bypass the buffer dimension check in _load_pnm(), causing heap buffer overflow conditions in any consumer of the CImg Library.
Affected Products
- CImg Library versions prior to commit 4ca26bc
- Applications linking the CImg header that load untrusted PNM, PGM, or PPM files
- Downstream image-processing tools relying on CImg for PNM parsing
Discovery Timeline
- 2026-05-04 - CVE-2026-42144 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-42144
Vulnerability Analysis
The vulnerability is an integer overflow [CWE-190] in the dimension validation logic of CImg's PNM loader. When _load_pnm() parses the header of a PNM, PGM, or PPM file, it reads three dimension values: width (W), height (H), and depth (D). The loader multiplies these values to compute the expected pixel count and compares the result against the file size. Because the operands are 32-bit integers, the multiplication can wrap before the comparison runs.
When the wrapped result is smaller than the actual file size, the size guard passes. CImg then allocates a buffer sized from the truncated value while later read operations use the original large dimensions. Subsequent pixel writes exceed the allocated buffer, corrupting adjacent heap memory.
Root Cause
The root cause is the absence of a 64-bit promotion before the multiplication of W*H*D. The pre-patch code performed arithmetic in the native integer width, allowing values such as W=H=D=2642246 to wrap silently. The fix casts the first operand to cimg_int64, forcing the entire expression into 64-bit arithmetic and preserving the true product.
Attack Vector
Exploitation requires the victim to load a malicious image file with a CImg-based application. The CVSS vector indicates a local attack vector with user interaction required. An attacker delivers a crafted PNM file by email, web download, or shared storage, then waits for the user to open it in an affected viewer or processing pipeline.
if (filename) { // Check that dimensions specified in file does not exceed the buffer dimension
const cimg_int64 siz = cimg::fsize(filename);
- if (W*H*D>siz)
+ if ((cimg_int64)W*H*D>siz)
throw CImgIOException(_cimg_instance
"load_pnm(): Specified image dimensions in file '%s' exceed file size.",
cimg_instance,
Source: GitHub Commit 4ca26bc
The patch promotes W to cimg_int64 before multiplication. This forces 64-bit arithmetic across the whole expression and prevents the wrap-around that bypassed the file-size guard.
Detection Methods for CVE-2026-42144
Indicators of Compromise
- PNM, PGM, or PPM files declaring dimensions whose product exceeds 2^32 yet match small file sizes on disk
- Crashes or heap corruption signatures in processes that link CImg when handling user-supplied images
- Unexpected CImgIOException patterns or aborted image-processing jobs in application logs
Detection Strategies
- Inventory software dependencies and identify binaries that statically include CImg.h prior to release v3.7.5
- Apply YARA or file-type rules that flag PNM headers with dimensions above sane thresholds (for example, any dimension greater than 65535)
- Inspect crash dumps from image-processing services for heap corruption originating in _load_pnm() call frames
Monitoring Recommendations
- Monitor endpoints that run image-conversion, OCR, or batch-processing tools for abnormal child-process termination
- Log file ingestion paths where PNM/PGM/PPM content is parsed and review for malformed headers
- Track software bill of materials (SBOM) updates to confirm the CImg version reaches v3.7.5 or later
How to Mitigate CVE-2026-42144
Immediate Actions Required
- Upgrade CImg to release v3.7.5 or any build that includes commit 4ca26bc
- Rebuild and redistribute downstream applications that statically embed the CImg header
- Restrict ingestion of untrusted PNM, PGM, and PPM files until the patched library is deployed
- Validate image dimensions in calling code before passing files to CImg loaders
Patch Information
The maintainers fixed the issue in commit 4ca26bc by casting W to cimg_int64 inside the dimension check in _load_pnm(). The fix is shipped in CImg release v3.7.5. Additional context is available in the GitHub Security Advisory GHSA-4663-63fm-44gc and the upstream issue discussion.
Workarounds
- Reject PNM headers whose width, height, or depth exceed application-defined limits before invoking CImg
- Run image-processing workloads inside sandboxes or low-privilege accounts to contain heap corruption
- Disable PNM/PGM/PPM support in affected applications where the format is not required
# Verify the installed CImg version contains the fix
grep -n "CImg_version" /path/to/CImg.h
# Expect a value >= 375 (release v3.7.5)
# Pull the patched source directly from upstream
git clone https://github.com/GreycLab/CImg.git
cd CImg && git checkout v.3.7.5
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
