Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
Lifecycle Timeline
9DescriptionGitHub Advisory
libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. Versions 1.8.7 and prior contain an integer overflow leading to an out-of-bounds heap read in the --crop option handling of img2sixel, where positive coordinates up to INT_MAX are accepted without overflow-safe bounds checking. In sixel_encoder_do_clip(), the expression clip_w + clip_x overflows to a large negative value when clip_x is INT_MAX, causing the bounds guard to be skipped entirely, and the unclamped coordinate is passed through sixel_frame_clip() to clip(), which computes a source pointer far beyond the image buffer and passes it to memmove(). An attacker supplying a specially crafted crop argument with any valid image can trigger an out-of-bounds read in the heap, resulting in a reliable crash and potential information disclosure. This issue has been fixed in version 1.8.7-r1.
AnalysisAI
Out-of-bounds heap read in libsixel img2sixel via integer overflow allows local attackers to crash the application and potentially leak sensitive memory contents when processing malicious --crop arguments with otherwise valid images. Affects libsixel 1.8.7 and earlier; patched in 1.8.7-r1. EPSS data not available, but exploitation requires local access with user interaction (CVSS AV:L/UI:R). No CISA KEV listing; no public exploit identified at time of analysis.
Technical ContextAI
libsixel is a SIXEL image format encoder/decoder library derived from kmiya's sixel implementation, commonly used for terminal graphics rendering. The vulnerability exists in the img2sixel command-line utility's --crop option parser within sixel_encoder_do_clip(). When processing crop coordinates, the code accepts positive integers up to INT_MAX without overflow-safe validation. The expression 'clip_w + clip_x' triggers signed integer overflow when clip_x approaches INT_MAX, wrapping to a large negative value that bypasses bounds checking guards. This corrupted coordinate propagates through sixel_frame_clip() to clip(), which calculates a source pointer extending far beyond the allocated heap buffer boundaries before passing it to memmove(). The root cause is CWE-125 (Out-of-bounds Read) enabled by inadequate integer overflow protection in arithmetic operations involving user-controlled crop coordinates.
RemediationAI
Vendor-released patch: libsixel version 1.8.7-r1 contains the fix for this integer overflow vulnerability. Users should immediately upgrade to libsixel 1.8.7-r1 or later, available from the official GitHub releases page at https://github.com/saitoha/libsixel/releases/tag/v1.8.7-r1. For environments where immediate patching is not feasible, implement input validation to reject --crop arguments with coordinates approaching INT_MAX, or restrict img2sixel usage to trusted input sources only. Organizations using libsixel in automated processing pipelines should sanitize crop parameters from untrusted sources and consider sandboxing img2sixel execution to contain potential information disclosure. Review the vendor security advisory at https://github.com/saitoha/libsixel/security/advisories/GHSA-c854-ffg9-g72c for additional technical details and upgrade guidance.
An issue was discovered in libsixel 1.8.4. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, n
An issue was discovered in libsixel 1.8.4. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, n
libsixel 1.8.4 has an integer overflow in sixel_frame_resize in frame.c. Rated high severity (CVSS 8.8), this vulnerabil
libsixel 1.10.0 is vulnerable to Use after free in libsixel/src/dither.c:379. Rated high severity (CVSS 8.8), this vulne
Libsixel 1.8.3 contains a heap-based buffer overflow in the sixel_encode_highcolor function in tosixel.c. Rated high sev
Libsixel 1.8.2 contains a heap-based buffer overflow in the dither_func_fs function in tosixel.c. Rated high severity (C
An issue was discovered in libsixel 1.8.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, n
stb_image.h (aka the stb image loader) 2.23, as used in libsixel and other products, has a heap-based buffer over-read i
libsixel before 1.10 is vulnerable to Buffer Overflow in libsixel/src/quant.c:867. Rated high severity (CVSS 8.8), this
libsixel 1.8.6 is affected by Buffer Overflow in libsixel/src/quant.c:876. Rated high severity (CVSS 8.8), this vulnerab
libsixel 1.8.6 suffers from a Heap Use After Free vulnerability in in libsixel/src/dither.c:388. Rated high severity (CV
In libsixel v1.8.2, there is a heap-based buffer over-read in the function load_jpeg() in the file loader.c, as demonstr
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Buffer Overflow
View allVendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22742