CVE-2026-42146— CImg Library: Uncontrolled memory allocation via nb_colors field in _load_bmp

CVSS 5.5 · Medium EPSS 0.01% · P2 Updated May 06, 2026

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-42146

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

CImg Library: Uncontrolled memory allocation via nb_colors field in _load_bmp

Source: NVD (National Vulnerability Database)

Vulnerability Description

CImg Library is a C++ library for image processing. Prior to commit c3aacf5, the nb_colors field read from the BMP file header is used directly to compute an allocation size without validating it against the remaining file size. A crafted BMP file with a large nb_colors value triggers an out-of-memory condition, crashing any application that uses CImg to load untrusted BMP files. This issue has been patched via commit c3aacf5.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Source: NVD (National Vulnerability Database)

Vulnerability Type

未经控制的内存分配

Source: NVD (National Vulnerability Database)

Vulnerability Title

CImg 安全漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

CImg是GREYC开源的一个用于图像处理的小型开源 C++ 工具包。 CImg存在安全漏洞，该漏洞源于未验证BMP文件头中nb_colors字段，可能导致分配过大内存并造成内存不足崩溃。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
GreycLab	CImg	< c3aacf5b96ac1e54b7af1957c6737dbf3949f6d3	-

II. Public POCs for CVE-2026-42146

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2026-42146

请登录查看更多情报信息。

OOM on crafted BMP via unbounded nb_colors field (_load_bmp) · Issue #477 · GreycLab/CImgx_refsource_MISC
Release v.3.7.5 · GreycLab/CImg · GitHubx_refsource_MISC
Uncontrolled memory allocation via nb_colors field in _load_bmp · Advisory · GreycLab/CImg · GitHubx_refsource_CONFIRM
Fix #477. · GreycLab/CImg@c3aacf5 · GitHubx_refsource_MISC
https://nvd.nist.gov/vuln/detail/CVE-2026-42146

IV. Related Vulnerabilities

Same product: CImg

Same vendor: GreycLab

CVE-2026-42144
CImg Library: Integer overflow in PNM size check bypasses me

Same weakness: CWE-789

V. Comments for CVE-2026-42146

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2026-42146— CImg Library: Uncontrolled memory allocation via nb_colors field in _load_bmp

I. Basic Information for CVE-2026-42146

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2026-42146

III. Intelligence Information for CVE-2026-42146

IV. Related Vulnerabilities

V. Comments for CVE-2026-42146

Leave a comment