Skip to main content

Libsixel CVE-2026-33021

| EUVDEUVD-2026-22746 HIGH
Use After Free (CWE-416)
2026-04-14 GitHub_M
7.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.3 HIGH
AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
SUSE
HIGH
qualitative
Red Hat
7.3 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
High

Lifecycle Timeline

9
Patch released
Apr 23, 2026 - 14:23 nvd
Patch available
Re-analysis Queued
Apr 17, 2026 - 15:52 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 05:57 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
1.8.7-r1
Analysis Generated
Apr 15, 2026 - 01:08 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 22:46 euvd
EUVD-2026-22746
Analysis Generated
Apr 14, 2026 - 22:46 vuln.today
CVE Published
Apr 14, 2026 - 21:57 nvd
HIGH 7.3

DescriptionGitHub Advisory

libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. Versions 1.8.7 and prior contain a use-after-free vulnerability in sixel_encoder_encode_bytes() because sixel_frame_init() stores the caller-owned pixel buffer pointer directly in frame->pixels without making a defensive copy. When a resize operation is triggered, sixel_frame_convert_to_rgb888() unconditionally frees this caller-owned buffer and replaces it with a new internal allocation, leaving the caller with a dangling pointer. Any subsequent access to the original buffer by the caller constitutes a use-after-free, confirmed by AddressSanitizer. An attacker who controls incoming frames can trigger this bug repeatedly and predictably, resulting in a reliable crash with potential for code execution. This issue has been fixed in version 1.8.7-r1.

AnalysisAI

Use-after-free in libsixel 1.8.7 and earlier enables local attackers to crash applications or execute arbitrary code via crafted SIXEL image frames. The vulnerability occurs when sixel_encoder_encode_bytes() processes resize operations that free caller-owned pixel buffers, creating dangling pointers exploitable through repeated, predictable frame manipulation. EPSS data not available; no confirmed active exploitation (not in CISA KEV), but the technical details suggest reliable exploitation potential for local privilege escalation or RCE scenarios.

Technical ContextAI

libsixel is a library for encoding and decoding SIXEL graphics format, derived from kmiya's sixel implementation. The vulnerability stems from unsafe memory management in the encoder pipeline: sixel_frame_init() stores a direct pointer to the caller's pixel buffer in frame->pixels without creating a defensive copy. When sixel_frame_convert_to_rgb888() handles image resize operations during encoding, it unconditionally calls free() on this caller-owned buffer and replaces it with a new internal allocation. This violates memory ownership contracts and leaves the caller holding a dangling pointer to freed memory. The issue is classified as CWE-416 (Use After Free), a critical memory corruption class that typically leads to crashes, information disclosure, or arbitrary code execution depending on heap layout and attacker control over subsequent allocations. AddressSanitizer confirmed the use-after-free condition, indicating the bug is deterministic and reproducible under controlled conditions.

RemediationAI

Upgrade libsixel to version 1.8.7-r1 or later, released by the vendor to address this use-after-free vulnerability. The patch modifies memory ownership semantics in sixel_frame_init() and sixel_frame_convert_to_rgb888() to prevent premature deallocation of caller-owned buffers. Download the fixed version from the official release page at https://github.com/saitoha/libsixel/releases/tag/v1.8.7-r1 and rebuild dependent applications against the updated library. For systems using package managers, check for updated libsixel packages from distribution maintainers. As a temporary workaround if immediate patching is not feasible, restrict processing of SIXEL images to trusted sources only and implement strict input validation to reject malformed or suspiciously crafted image frames that might trigger resize operations. Monitor applications for unexpected crashes in SIXEL processing code paths, as these may indicate exploitation attempts. Review application code to ensure proper error handling around sixel_encoder_encode_bytes() calls and validate that pixel buffers are not accessed after encoding operations until memory ownership is reestablished.

CVE-2019-20140 HIGH POC
8.8 Dec 30

An issue was discovered in libsixel 1.8.4. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, n

CVE-2019-20094 HIGH POC
8.8 Dec 30

An issue was discovered in libsixel 1.8.4. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, n

CVE-2019-20205 HIGH POC
8.8 Jan 02

libsixel 1.8.4 has an integer overflow in sixel_frame_resize in frame.c. Rated high severity (CVSS 8.8), this vulnerabil

CVE-2021-41715 HIGH POC
8.8 Apr 08

libsixel 1.10.0 is vulnerable to Use after free in libsixel/src/dither.c:379. Rated high severity (CVSS 8.8), this vulne

CVE-2020-21548 HIGH POC
8.8 Sep 17

Libsixel 1.8.3 contains a heap-based buffer overflow in the sixel_encode_highcolor function in tosixel.c. Rated high sev

CVE-2020-21547 HIGH POC
8.8 Sep 17

Libsixel 1.8.2 contains a heap-based buffer overflow in the dither_func_fs function in tosixel.c. Rated high severity (C

CVE-2019-19778 HIGH POC
8.8 Dec 13

An issue was discovered in libsixel 1.8.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, n

CVE-2019-19777 HIGH POC
8.8 Dec 13

stb_image.h (aka the stb image loader) 2.23, as used in libsixel and other products, has a heap-based buffer over-read i

CVE-2021-40656 HIGH POC
8.8 Apr 08

libsixel before 1.10 is vulnerable to Buffer Overflow in libsixel/src/quant.c:867. Rated high severity (CVSS 8.8), this

CVE-2022-27044 HIGH POC
8.8 Apr 08

libsixel 1.8.6 is affected by Buffer Overflow in libsixel/src/quant.c:876. Rated high severity (CVSS 8.8), this vulnerab

CVE-2022-27046 HIGH POC
8.8 Apr 08

libsixel 1.8.6 suffers from a Heap Use After Free vulnerability in in libsixel/src/dither.c:388. Rated high severity (CV

CVE-2019-3574 HIGH POC
7.8 Jan 02

In libsixel v1.8.2, there is a heap-based buffer over-read in the function load_jpeg() in the file loader.c, as demonstr

Vendor StatusVendor

SUSE

Severity: High

Share

CVE-2026-33021 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy