Bug 2448984 (CVE-2026-4367)

Summary:	CVE-2026-4367 libXpm: libXpm: Denial of Service via out-of-bounds read in XPM file parsing
Product:	[Other] Security Response	Reporter:	OSIDB Bzimport <bzimport>
Component:	vulnerability	Assignee:	Product Security DevOps Team <prodsec-dev>
Status:	NEW ---	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	unspecified	CC:	rhel-process-autobot, security-response-team, watson-tool-maintainers
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	---
Doc Text:	A flaw was found in libXpm. A local user with low privileges could exploit an Out-of-Bounds Read vulnerability in the `xpmNextWord()` function by processing a specially crafted or very small XPM (X PixMap) image file. This improper validation of file boundaries can cause an internal pointer to read beyond the file's end, leading to application crashes and Denial of Service conditions.	Story Points:	---
Clone Of:		Environment:
Last Closed:		Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-03-19 10:12:07 UTC

An Out-of-Bounds Read vulnerability exists in the xpmNextWord() function of the libXpm library. The issue is caused by improper validation of file boundaries when parsing XPM image data. When a specially crafted or very small XPM file is processed, the internal pointer may advance beyond the actual end of the file, resulting in an out-of-bounds memory read. This can lead to application crashes and denial-of-service conditions in applications that rely on libXpm. The vulnerability requires local access and low privileges, and does not impact confidentiality or integrity.