Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
Lifecycle Timeline
9DescriptionGitHub Advisory
libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. Versions 1.8.7 and prior contain an integer overflow which leads to a heap buffer overflow via sixel_frame_convert_to_rgb888() in frame.c, where allocation size and pointer offset computations for palettised images (PAL1, PAL2, PAL4) are performed using int arithmetic before casting to size_t. For images whose pixel count exceeds INT_MAX / 4, the overflow produces an undersized heap allocation for the conversion buffer and a negative pointer offset for the normalization sub-buffer, after which sixel_helper_normalize_pixelformat() writes the full image data starting from the invalid pointer, causing massive heap corruption confirmed by ASAN. An attacker providing a specially crafted large palettised PNG can corrupt the heap of the victim process, resulting in a reliable crash and potential arbitrary code execution. This issue has been fixed in version 1.8.7-r1.
AnalysisAI
Heap buffer overflow in libsixel 1.8.7 and earlier allows local attackers to achieve arbitrary code execution by providing a maliciously crafted large palettised PNG image that triggers integer overflow in RGB888 conversion routines. The vulnerability requires user interaction to process the malicious image but no authentication. EPSS data not available; no public exploit identified at time of analysis, though the technical details in the advisory provide sufficient information for weaponization. Vendor-released patch: version 1.8.7-r1.
Technical ContextAI
libsixel is a SIXEL encoder/decoder library for terminal graphics, derived from kmiya's sixel implementation. The vulnerability (CWE-122: Heap-based Buffer Overflow) occurs in sixel_frame_convert_to_rgb888() within frame.c during conversion of palettised image formats (PAL1, PAL2, PAL4) to RGB888. The root cause is unsafe integer arithmetic: allocation size and pointer offset calculations use signed int types before casting to size_t. For images with pixel counts exceeding INT_MAX/4 (approximately 536 million pixels), integer overflow produces a severely undersized heap buffer allocation. The subsequent normalization operation in sixel_helper_normalize_pixelformat() computes a negative pointer offset, causing writes to begin at an invalid memory location. This results in massive out-of-bounds writes of full image data into uncontrolled heap regions, confirmed by AddressSanitizer during security testing. The vulnerability affects the core image processing pipeline and impacts any application using libsixel to decode untrusted palettised images.
RemediationAI
Upgrade to libsixel version 1.8.7-r1 or later, which contains fixes for the integer overflow and heap buffer overflow vulnerabilities. The patched release is available from the official GitHub repository at https://github.com/saitoha/libsixel/releases/tag/v1.8.7-r1. Organizations unable to immediately upgrade should implement input validation to reject or sanitize palettised PNG files with excessive dimensions (pixel count approaching or exceeding 536 million pixels) before processing with libsixel. Consider disabling processing of untrusted palettised images or implementing sandboxing for image conversion operations. Review all applications using libsixel dependencies and update build configurations to link against the patched version. For containerized or packaged deployments, update base images and dependency manifests to pull version 1.8.7-r1 or later. Consult the GitHub security advisory GHSA-2xgm-4x47-2x2p for additional context and vendor guidance.
An issue was discovered in libsixel 1.8.4. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, n
An issue was discovered in libsixel 1.8.4. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, n
libsixel 1.8.4 has an integer overflow in sixel_frame_resize in frame.c. Rated high severity (CVSS 8.8), this vulnerabil
libsixel 1.10.0 is vulnerable to Use after free in libsixel/src/dither.c:379. Rated high severity (CVSS 8.8), this vulne
Libsixel 1.8.3 contains a heap-based buffer overflow in the sixel_encode_highcolor function in tosixel.c. Rated high sev
Libsixel 1.8.2 contains a heap-based buffer overflow in the dither_func_fs function in tosixel.c. Rated high severity (C
An issue was discovered in libsixel 1.8.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, n
stb_image.h (aka the stb image loader) 2.23, as used in libsixel and other products, has a heap-based buffer over-read i
libsixel before 1.10 is vulnerable to Buffer Overflow in libsixel/src/quant.c:867. Rated high severity (CVSS 8.8), this
libsixel 1.8.6 is affected by Buffer Overflow in libsixel/src/quant.c:876. Rated high severity (CVSS 8.8), this vulnerab
libsixel 1.8.6 suffers from a Heap Use After Free vulnerability in in libsixel/src/dither.c:388. Rated high severity (CV
In libsixel v1.8.2, there is a heap-based buffer over-read in the function load_jpeg() in the file loader.c, as demonstr
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Heap Overflow
View allVendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22744