CVE-2025-52456

NameCVE-2025-52456
DescriptionA memory corruption vulnerability exists in the WebP Image Decoding functionality of the SAIL Image Decoding Library v0.9.8. When loading a specially crafted .webp animation an integer overflow can be made to occur when calculating the stride for decoding. Afterwards, this will cause a heap-based buffer to overflow when decoding the image which can lead to remote code execution. An attacker will need to convince the library to read a file to trigger this vulnerability.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1112346

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
sail (PTS)trixie0.9.8-1vulnerable
forky, sid0.9.9-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
sailsource(unstable)0.9.9-11112346

Notes

[trixie] - sail <no-dsa> (Minor issue)
https://talosintelligence.com/vulnerability_reports/TALOS-2025-2224
https://github.com/HappySeaFox/sail/issues/230
Tests: https://github.com/HappySeaFox/sail/commit/463a80236406a52f59e34f9a4ff0327a3995862b
Search for package or bug name: Reporting problems