CVE-2025-52456: 
Homebrew vulnerability analysis and mitigation

A memory corruption vulnerability exists in the WebP Image Decoding functionality of the SAIL Image Decoding Library v0.9.8. When loading a specially crafted .webp animation, an integer overflow can occur when calculating the stride for decoding, which subsequently leads to a heap-based buffer overflow during image decoding. The vulnerability requires an attacker to convince the library to read a malicious file (Talos).

The vulnerability occurs in the WebP image decoding process when calculating the stride for decoding. If the product of the image width, height, and 4-bytes for the RGBA pixel format exceeds 32-bits, an integer overflow occurs on 32-bit platforms. This results in an undersized heap buffer allocation, which when used for background color filling operations, leads to a heap-based buffer overflow. The vulnerability has been assigned a CVSS v3.1 score of 8.8 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (Talos).

The successful exploitation of this vulnerability can lead to remote code execution under the context of the library. The heap-based buffer overflow resulting from the integer overflow condition can allow attackers to execute arbitrary code when processing specially crafted WebP images (Talos).

The vulnerability affects SAIL Image Decoding Library v0.9.8 (commit 221db576ce1263ab92bd882f344b68b8eec16cad). Users should update to a patched version of the library when available (Talos).