Skip to main content

Libsixel EUVDEUVD-2026-22740

| CVE-2026-33018 HIGH
Use After Free (CWE-416)
2026-04-14 security-advisories@github.com
High
Disputed · 7.0 NVD
Share

Severity by source

Sources disagree (Low–High)
GitHub Advisory PRIMARY
7.0 HIGH
AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
SUSE
3.1 LOW
AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Red Hat
7.0 MEDIUM
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

9
Patch released
Apr 23, 2026 - 14:48 nvd
Patch available
Re-analysis Queued
Apr 17, 2026 - 15:52 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 05:56 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
1.8.7-rc1
Analysis Generated
Apr 14, 2026 - 22:40 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 22:22 euvd
EUVD-2026-22740
Analysis Generated
Apr 14, 2026 - 22:22 vuln.today
CVE Published
Apr 14, 2026 - 22:16 nvd
HIGH 7.0

DescriptionGitHub Advisory

libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. Versions 1.8.7 and prior contain a Use-After-Free vulnerability via the load_gif() function in fromgif.c, where a single sixel_frame_t object is reused across all frames of an animated GIF and gif_init_frame() unconditionally frees and reallocates frame->pixels between frames without consulting the object's reference count. Because the public API explicitly provides sixel_frame_ref() to retain a frame and sixel_frame_get_pixels() to access the raw pixel buffer, a callback following this documented usage pattern will hold a dangling pointer after the second frame is decoded, resulting in a heap use-after-free confirmed by ASAN. Any application using sixel_helper_load_image_file() with a multi-frame callback to process user-supplied animated GIFs is affected, with a reliable crash as the minimum impact and potential for code execution. This issue has been fixed in version 1.8.7-r1.

AnalysisAI

Heap use-after-free in libsixel 1.8.7 and earlier allows local code execution when processing malicious animated GIF files through the sixel_helper_load_image_file() API with multi-frame callbacks. The vulnerability triggers when gif_init_frame() unconditionally frees and reallocates frame->pixels between frames while client code retains references via the documented sixel_frame_ref() API, creating dangling pointers confirmed by AddressSanitizer. Fixed in version 1.8.7-r1. No public exploit iden

Technical ContextAI

This is a classic use-after-free vulnerability (CWE-416) in libsixel's GIF decoding pipeline, specifically in the load_gif() function within fromgif.c. The core issue stems from an object lifetime management flaw: the library reuses a single sixel_frame_t object across all frames of an animated GIF, but gif_init_frame() unconditionally calls free() and realloc() on the frame->pixels buffer between frames without checking reference counts. The public API explicitly provides sixel_frame_ref() to increment reference counts and sixel_frame_get_pixels() to access the raw pixel buffer, establishing a documented usage pattern where client code legitimately retains frame references across callbacks. When the second frame is decoded, the unconditional deallocation invalidates all previously-returned pixel buffer pointers, creating a dangling pointer condition. Applications using sixel_helper_load_image_file() with multi-frame callbacks follow this pattern and will dereference freed heap memory, producing ASAN-confirmed heap corruption. The vulnerability represents a fundamental violation of object ownership semantics in a C library with manual memory management.

RemediationAI

Upgrade immediately to libsixel version 1.8.7-r1 or later, which contains the complete fix for this use-after-free vulnerability as confirmed in the release notes at https://github.com/saitoha/libsixel/releases/tag/v1.8.7-r1. Organizations should inventory all applications that depend on libsixel either directly or through transitive dependencies and prioritize updates for systems that process untrusted GIF files from external sources. If immediate patching is not feasible, implement defense-in-depth controls including input validation to reject animated GIFs if only static images are required, sandboxing of image processing operations using operating system primitives like seccomp or pledge, and application of memory-safety mitigations such as heap hardening features available in modern allocators. For development teams building applications on libsixel, avoid using multi-frame callbacks with sixel_helper_load_image_file() until upgrade is complete, or implement custom GIF parsing that does not rely on the vulnerable frame reuse pattern. Consult the GitHub Security Advisory at https://github.com/saitoha/libsixel/security/advisories/GHSA-w46f-jr9f-rgvp for additional vendor guidance and workaround recommendations.

CVE-2019-20140 HIGH POC
8.8 Dec 30

An issue was discovered in libsixel 1.8.4. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, n

CVE-2019-20094 HIGH POC
8.8 Dec 30

An issue was discovered in libsixel 1.8.4. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, n

CVE-2019-20205 HIGH POC
8.8 Jan 02

libsixel 1.8.4 has an integer overflow in sixel_frame_resize in frame.c. Rated high severity (CVSS 8.8), this vulnerabil

CVE-2021-41715 HIGH POC
8.8 Apr 08

libsixel 1.10.0 is vulnerable to Use after free in libsixel/src/dither.c:379. Rated high severity (CVSS 8.8), this vulne

CVE-2020-21548 HIGH POC
8.8 Sep 17

Libsixel 1.8.3 contains a heap-based buffer overflow in the sixel_encode_highcolor function in tosixel.c. Rated high sev

CVE-2020-21547 HIGH POC
8.8 Sep 17

Libsixel 1.8.2 contains a heap-based buffer overflow in the dither_func_fs function in tosixel.c. Rated high severity (C

CVE-2019-19778 HIGH POC
8.8 Dec 13

An issue was discovered in libsixel 1.8.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, n

CVE-2019-19777 HIGH POC
8.8 Dec 13

stb_image.h (aka the stb image loader) 2.23, as used in libsixel and other products, has a heap-based buffer over-read i

CVE-2021-40656 HIGH POC
8.8 Apr 08

libsixel before 1.10 is vulnerable to Buffer Overflow in libsixel/src/quant.c:867. Rated high severity (CVSS 8.8), this

CVE-2022-27044 HIGH POC
8.8 Apr 08

libsixel 1.8.6 is affected by Buffer Overflow in libsixel/src/quant.c:876. Rated high severity (CVSS 8.8), this vulnerab

CVE-2022-27046 HIGH POC
8.8 Apr 08

libsixel 1.8.6 suffers from a Heap Use After Free vulnerability in in libsixel/src/dither.c:388. Rated high severity (CV

CVE-2019-3574 HIGH POC
7.8 Jan 02

In libsixel v1.8.2, there is a heap-based buffer over-read in the function load_jpeg() in the file loader.c, as demonstr

Vendor StatusVendor

SUSE

Severity: Low

Share

EUVD-2026-22740 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy