Skip to main content

Libsixel CVE-2026-33020

| EUVDEUVD-2026-22744 HIGH
Heap-based Buffer Overflow (CWE-122)
2026-04-14 security-advisories@github.com
7.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.1 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.1 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

9
Patch released
Apr 23, 2026 - 14:47 nvd
Patch available
Re-analysis Queued
Apr 17, 2026 - 15:52 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 05:56 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
1.8.7-r1
Analysis Generated
Apr 14, 2026 - 22:41 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 22:22 euvd
EUVD-2026-22744
Analysis Generated
Apr 14, 2026 - 22:22 vuln.today
CVE Published
Apr 14, 2026 - 22:16 nvd
HIGH 7.1

DescriptionGitHub Advisory

libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. Versions 1.8.7 and prior contain an integer overflow which leads to a heap buffer overflow via sixel_frame_convert_to_rgb888() in frame.c, where allocation size and pointer offset computations for palettised images (PAL1, PAL2, PAL4) are performed using int arithmetic before casting to size_t. For images whose pixel count exceeds INT_MAX / 4, the overflow produces an undersized heap allocation for the conversion buffer and a negative pointer offset for the normalization sub-buffer, after which sixel_helper_normalize_pixelformat() writes the full image data starting from the invalid pointer, causing massive heap corruption confirmed by ASAN. An attacker providing a specially crafted large palettised PNG can corrupt the heap of the victim process, resulting in a reliable crash and potential arbitrary code execution. This issue has been fixed in version 1.8.7-r1.

AnalysisAI

Heap buffer overflow in libsixel 1.8.7 and earlier allows local attackers to achieve arbitrary code execution by providing a maliciously crafted large palettised PNG image that triggers integer overflow in RGB888 conversion routines. The vulnerability requires user interaction to process the malicious image but no authentication. EPSS data not available; no public exploit identified at time of analysis, though the technical details in the advisory provide sufficient information for weaponization. Vendor-released patch: version 1.8.7-r1.

Technical ContextAI

libsixel is a SIXEL encoder/decoder library for terminal graphics, derived from kmiya's sixel implementation. The vulnerability (CWE-122: Heap-based Buffer Overflow) occurs in sixel_frame_convert_to_rgb888() within frame.c during conversion of palettised image formats (PAL1, PAL2, PAL4) to RGB888. The root cause is unsafe integer arithmetic: allocation size and pointer offset calculations use signed int types before casting to size_t. For images with pixel counts exceeding INT_MAX/4 (approximately 536 million pixels), integer overflow produces a severely undersized heap buffer allocation. The subsequent normalization operation in sixel_helper_normalize_pixelformat() computes a negative pointer offset, causing writes to begin at an invalid memory location. This results in massive out-of-bounds writes of full image data into uncontrolled heap regions, confirmed by AddressSanitizer during security testing. The vulnerability affects the core image processing pipeline and impacts any application using libsixel to decode untrusted palettised images.

RemediationAI

Upgrade to libsixel version 1.8.7-r1 or later, which contains fixes for the integer overflow and heap buffer overflow vulnerabilities. The patched release is available from the official GitHub repository at https://github.com/saitoha/libsixel/releases/tag/v1.8.7-r1. Organizations unable to immediately upgrade should implement input validation to reject or sanitize palettised PNG files with excessive dimensions (pixel count approaching or exceeding 536 million pixels) before processing with libsixel. Consider disabling processing of untrusted palettised images or implementing sandboxing for image conversion operations. Review all applications using libsixel dependencies and update build configurations to link against the patched version. For containerized or packaged deployments, update base images and dependency manifests to pull version 1.8.7-r1 or later. Consult the GitHub security advisory GHSA-2xgm-4x47-2x2p for additional context and vendor guidance.

CVE-2019-20140 HIGH POC
8.8 Dec 30

An issue was discovered in libsixel 1.8.4. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, n

CVE-2019-20094 HIGH POC
8.8 Dec 30

An issue was discovered in libsixel 1.8.4. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, n

CVE-2019-20205 HIGH POC
8.8 Jan 02

libsixel 1.8.4 has an integer overflow in sixel_frame_resize in frame.c. Rated high severity (CVSS 8.8), this vulnerabil

CVE-2021-41715 HIGH POC
8.8 Apr 08

libsixel 1.10.0 is vulnerable to Use after free in libsixel/src/dither.c:379. Rated high severity (CVSS 8.8), this vulne

CVE-2020-21548 HIGH POC
8.8 Sep 17

Libsixel 1.8.3 contains a heap-based buffer overflow in the sixel_encode_highcolor function in tosixel.c. Rated high sev

CVE-2020-21547 HIGH POC
8.8 Sep 17

Libsixel 1.8.2 contains a heap-based buffer overflow in the dither_func_fs function in tosixel.c. Rated high severity (C

CVE-2019-19778 HIGH POC
8.8 Dec 13

An issue was discovered in libsixel 1.8.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, n

CVE-2019-19777 HIGH POC
8.8 Dec 13

stb_image.h (aka the stb image loader) 2.23, as used in libsixel and other products, has a heap-based buffer over-read i

CVE-2021-40656 HIGH POC
8.8 Apr 08

libsixel before 1.10 is vulnerable to Buffer Overflow in libsixel/src/quant.c:867. Rated high severity (CVSS 8.8), this

CVE-2022-27044 HIGH POC
8.8 Apr 08

libsixel 1.8.6 is affected by Buffer Overflow in libsixel/src/quant.c:876. Rated high severity (CVSS 8.8), this vulnerab

CVE-2022-27046 HIGH POC
8.8 Apr 08

libsixel 1.8.6 suffers from a Heap Use After Free vulnerability in in libsixel/src/dither.c:388. Rated high severity (CV

CVE-2019-3574 HIGH POC
7.8 Jan 02

In libsixel v1.8.2, there is a heap-based buffer over-read in the function load_jpeg() in the file loader.c, as demonstr

Vendor StatusVendor

SUSE

Severity: High

Share

CVE-2026-33020 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy