Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. From to 1.8.7-r1, a signed integer overflow in the SIXEL parser's image-buffer doubling loop can lead to an out-of-bounds heap write in sixel_decode_raw_impl. context->pos_x grows by repeat_count on every sixel character with no upper bound check. Once pos_x approaches INT_MAX, the expression "pos_x + repeat_count" used to size the image buffer overflows signed int. Depending on how the overflow wraps, the resize check that should reject oversized buffers can be bypassed, after which a subsequent write computes a large attacker-influenced offset into image->data and writes past the allocation. Reachable from any caller that decodes attacker-supplied SIXEL data, including img2sixel. This vulnerability is fixed in 1.8.7-r2.
AnalysisAI
Heap buffer overflow in libsixel versions up to 1.8.7-r1 enables local attackers to corrupt memory and potentially execute code by supplying maliciously crafted SIXEL image data. A signed integer overflow in the SIXEL parser's buffer resizing logic bypasses allocation size checks, allowing out-of-bounds writes with attacker-controlled offsets. The vulnerability requires user interaction to process a malicious SIXEL file but does not require authentication. Fixed in version 1.8.7-r2. No active exploitation confirmed (not in CISA KEV); public exploit code status unknown.
Technical ContextAI
SIXEL is a bitmap graphics format used in terminal emulators for inline image display. libsixel implements encoding and decoding of SIXEL data streams. The vulnerability (CWE-190: Integer Overflow or Wraparound) occurs in sixel_decode_raw_impl where context->pos_x increments by repeat_count for each SIXEL character without bounds validation. When pos_x approaches INT_MAX (2,147,483,647 on typical 32-bit signed integers), the expression 'pos_x + repeat_count' overflows, wrapping to a small or negative value. This corrupted result bypasses the buffer size check intended to prevent over-allocation. The subsequent memory write uses the overflowed value to calculate an offset into image->data, resulting in a heap buffer overflow with attacker-influenced displacement. Affects all callers processing untrusted SIXEL data, including the img2sixel utility and any applications embedding libsixel for terminal graphics rendering.
RemediationAI
Upgrade libsixel to version 1.8.7-r2 or later, which contains bounds validation to prevent the signed integer overflow in the SIXEL parser. Download from the official repository or use package manager updates when available. Vendor advisory with patch details: https://github.com/saitoha/libsixel/security/advisories/GHSA-9jm7-77gr-qghv. For systems where immediate patching is not feasible, implement defense-in-depth controls: configure terminal emulators to disable automatic SIXEL rendering from untrusted sources, restrict img2sixel and similar utilities to processing only trusted input files through access controls, and deploy application sandboxing (seccomp, AppArmor, or containers with limited heap permissions) to contain potential exploitation. Note that disabling SIXEL support entirely eliminates attack surface but breaks legitimate terminal graphics functionality. Input validation at the application layer (file size limits, rejecting SIXEL data from untrusted network sources) provides partial mitigation but cannot prevent exploitation if malicious files are explicitly opened by users.
Same weakness CWE-190 – Integer Overflow or Wraparound
View allSame technique Integer Overflow
View allVendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30412