FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Emacs -- Heap out-of-bounds write when rendering SVG images

Affected packages
28.1,3 <= emacs < 30.2_4,3
28.1,3 <= emacs-canna < 30.2_4,3
28.1,3 <= emacs-nox < 30.2_4,3
28.1,3 <= emacs-wayland < 30.2_4,3
emacs-devel < 31.0.50.20250201,3
emacs-devel-nox < 31.0.50.20250201,3

Details

VuXML ID c7be43b0-78f0-11f1-8898-1c697a616631
Discovery 2026-04-17
Entry 2026-07-06

Problem Description

When GNU Emacs renders an SVG image whose image spec includes a :css property, an off-by-one error in svg_load_image() writes a NUL byte one position past the end of a heap allocation. The copied string is also left without NUL termination within its allocation, causing a subsequent out-of-bounds read.

Impact

A single NUL byte heap overflow is a well-understood exploitation primitive ("poison NUL byte") that can corrupt heap metadata and potentially be escalated to arbitrary code execution. The overflow can be triggered by Lisp code that displays an SVG image with a crafted :css property.

References

CVE Name CVE-2026-6861
URL https://debbugs.gnu.org/cgi/bugreport.cgi?bug=80851
URL https://nvd.nist.gov/vuln/detail/CVE-2026-6861