Skip to main content

libsixel CVE-2026-44638

| EUVD-2026-30411 LOW
NULL Pointer Dereference (CWE-476)
2026-05-14 GitHub_M
Denial Of Service Null Pointer Dereference
2.5
CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

3
Patch available
May 14, 2026 - 21:32 EUVD
Analysis Generated
May 14, 2026 - 21:18 vuln.today
CVE Published
May 14, 2026 - 19:59 nvd
LOW 2.5

DescriptionNVD

libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. From to 1.8.7-r1, a wrong NULL check after an allocation call in sixel_decode_raw and sixel_decode causes a NULL pointer dereference whenever the allocation fails. The check tests the address of the output parameter (always non-NULL) instead of the value the malloc returned. On allocation failure, the function continues and writes through a NULL pointer, crashing the process. This is a denial of service against any caller of these public APIs that hits a low-memory condition. This vulnerability is fixed in 1.8.7-r2.

AnalysisAI

libsixel versions prior to 1.8.7-r2 crash on memory allocation failure in sixel_decode_raw and sixel_decode functions due to incorrect NULL pointer validation, allowing local attackers to trigger denial of service under low-memory conditions. The vulnerability affects any application using libsixel's public decoding APIs when system memory pressure causes malloc to fail.

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-44638 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy