On 21 April 2026 the OpenBSD project shipped errata 032 for the 7.8 branch (and errata 038 for 7.7) with a security fix in libXpm, the library that reads and writes images in the XPM (X PixMap) format. The flaw, tracked as CVE-2026-4367, is an out-of-bounds read triggered when the library parses a crafted XPM file.
What CVE-2026-4367 is
libXpm is part of the X.Org client libraries and is used by many programs that load icons or images in XPM format, an old plain-text format that still shows up across X11 desktops and applications. The bug lives in how the library interprets the header and color data of an XPM file. When those fields don’t match the actual size of the data, the parsing code reads past the end of the allocated buffer.
An out-of-bounds read by itself doesn’t let an attacker write memory or inject code, but it can expose adjacent memory contents or, more commonly, crash the application that opened the image. That’s why OpenBSD rates it as medium severity rather than critical: the realistic outcome is a denial of service in the affected application or a leak of small memory fragments, not direct code execution.
Who is affected
This affects OpenBSD 7.7 and 7.8 running the base-system libXpm. The risk shows up when a program linked against libXpm opens an XPM from an untrusted source: a downloaded file, an attachment, a resource loaded by an X11 application. It is not remotely exploitable without interaction; someone has to get you to open or process the malicious image.
Keep in mind that libXpm is shared code across distributions that ship X.Org, so flaws like this usually get parallel patches on other systems. On OpenBSD the preferred path is always the same: apply the official errata.
How to mitigate it
The fix arrives as an errata signed by the project. On a system with syspatch available, run:
doas syspatchThat downloads and installs the errata 032 patch (on 7.8) or 038 (on 7.7) without recompiling. After applying it, restart any open applications so they load the updated library. If you build the system from source, sync your tree with the errata branch and rebuild libXpm.
This same April batch included a related fix: a buffer overflow in slaacd(8), the IPv6 address autoconfiguration daemon. If you run syspatch, both fixes land in one pass.
If you work with OpenBSD and its X server, you may want our look at the X server vulnerabilities fixed in errata 037, from the same 7.8 branch. And to understand why this project chases these bugs in such detail, read our piece on OpenBSD and its security culture.
Source
- Official errata: OpenBSD 7.8 Errata (032 - libXpm)
- Vulnerability detail: CVE-2026-4367 on NVD