CVE-2026-42146 Overview
CVE-2026-42146 is a memory allocation vulnerability in the CImg Library, a C++ image processing library maintained by the GreycLab project. The flaw resides in the BMP file loader, which reads the nb_colors field from the BMP header and uses it directly to compute an allocation size. The library does not validate this value against the remaining file size. A crafted BMP file containing an oversized nb_colors value forces the library to attempt an excessive allocation, triggering an out-of-memory condition. Any application that uses CImg to load untrusted BMP files will crash. The issue is tracked under [CWE-789] (Memory Allocation with Excessive Size Value) and was fixed in commit c3aacf5.
Critical Impact
Applications using CImg to parse untrusted BMP files can be crashed by a single malicious image, producing a reliable denial-of-service condition.
Affected Products
- CImg Library versions prior to commit c3aacf5
- CImg Library releases earlier than v.3.7.5
- Applications that link CImg to process untrusted BMP input
Discovery Timeline
- 2026-05-04 - CVE-2026-42146 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-42146
Vulnerability Analysis
The CImg BMP loader parses the bitmap file header and reads the nb_colors field, which describes the size of the color palette. The loader then multiplies this value to determine the byte count for a palette buffer allocation. Because the field is attacker-controlled and unvalidated, a crafted BMP can request an allocation far larger than the actual file. The allocation request either fails outright or exhausts available memory, terminating the host process. The result is a deterministic crash whenever the library processes the malicious file. Exploitation requires the user or service to load the BMP, matching the local attack vector and user-interaction requirement reflected in the CVSS vector.
Root Cause
The root cause is missing bounds validation on the nb_colors header field before it is used as an allocation size. The loader trusts header metadata without cross-checking it against the remaining bytes available in the file. This pattern is classified as [CWE-789]: a memory allocation where the size is derived from untrusted input without an upper bound. The patch in commit c3aacf5 introduces validation that rejects palettes too large to fit within the file.
Attack Vector
An attacker crafts a BMP file with a manipulated nb_colors field set to an extremely large value. The attacker delivers the file to a target application that uses CImg, for example through a document upload, email attachment, or local file open. When the application invokes the CImg BMP loader, the oversized allocation request triggers an out-of-memory error and the process terminates. No code execution or data disclosure occurs, but availability is fully impacted for the affected process. Verified technical detail is documented in the GitHub Security Advisory and the GitHub Issue Tracker.
Detection Methods for CVE-2026-42146
Indicators of Compromise
- Repeated unexpected termination of processes that invoke the CImg BMP loader.
- BMP files whose declared nb_colors value implies a palette larger than the file itself.
- Application logs reporting std::bad_alloc or out-of-memory errors immediately after image load operations.
Detection Strategies
- Inspect BMP headers at ingestion and flag files where nb_colors exceeds a reasonable bound such as 256 for 8-bit images.
- Compare the declared palette size against the remaining file length before passing the file to CImg.
- Track CImg version strings across the software inventory and identify builds older than v.3.7.5.
Monitoring Recommendations
- Monitor crash telemetry on services that process user-supplied images and correlate with BMP MIME types.
- Alert on repeated SIGABRT or allocation-failure exits from image-processing workers.
- Audit dependency manifests for CImg headers built before commit c3aacf5.
How to Mitigate CVE-2026-42146
Immediate Actions Required
- Upgrade CImg to release v.3.7.5 or later, which includes commit c3aacf5.
- Rebuild and redeploy any application or container image that statically links the affected CImg headers.
- Restrict BMP processing of untrusted input until the patched version is in place.
Patch Information
The fix is published in CImg v.3.7.5 and applied in commit c3aacf5. The patch validates the nb_colors value against the remaining file size before allocation, rejecting malformed BMP files instead of attempting an oversized allocation.
Workarounds
- Pre-validate BMP files in a wrapper that parses the header and rejects files where palette size exceeds the file body.
- Run CImg-based decoders in isolated worker processes with strict memory limits so a crash does not affect the parent service.
- Disable BMP support in user-facing upload paths until the patched library is deployed.
# Example: enforce a per-process memory ceiling on an image worker
systemd-run --scope -p MemoryMax=512M ./image-worker --input untrusted.bmp
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
