Skip to main content

Libsixel EUVDEUVD-2026-22748

| CVE-2026-33023 HIGH
Use After Free (CWE-416)
2026-04-14 GitHub_M
7.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.8 HIGH
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

9
Patch released
Apr 23, 2026 - 14:46 nvd
Patch available
Analysis Updated
Apr 16, 2026 - 05:57 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
1.8.7-r1
Re-analysis Queued
Apr 15, 2026 - 20:22 vuln.today
cvss_changed
Analysis Generated
Apr 15, 2026 - 01:08 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 22:46 euvd
EUVD-2026-22748
Analysis Generated
Apr 14, 2026 - 22:46 vuln.today
CVE Published
Apr 14, 2026 - 22:05 nvd
HIGH 7.8

DescriptionGitHub Advisory

libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. In versions 1.8.7 and prior, when built with the --with-gdk-pixbuf2 option, a use-after-free vulnerability exists in load_with_gdkpixbuf() in loader.c. The cleanup path manually frees the sixel_frame_t object and its internal buffers without consulting the reference count, even though the object was created via the refcounted constructor sixel_frame_new() and exposed to the public callback. A callback that calls sixel_frame_ref(frame) to retain a logically valid reference will hold a dangling pointer after sixel_helper_load_image_file() returns, and any subsequent access to the frame or its fields triggers a use-after-free confirmed by AddressSanitizer. The root cause is a consistency failure between two cleanup strategies in the same codebase: sixel_frame_unref() is used in load_with_builtin() but raw free() is used in load_with_gdkpixbuf(). An attacker supplying a crafted image to any application built against libsixel with gdk-pixbuf2 support can trigger this reliably, potentially leading to information disclosure, memory corruption, or code execution. This issue has been fixed in version 1.8.7-r1.

AnalysisAI

Use-after-free in libsixel's gdk-pixbuf2 loader enables local attackers to achieve code execution via crafted images. Affects libsixel versions through 1.8.7 when compiled with --with-gdk-pixbuf2 option. The vulnerability stems from inconsistent memory management in load_with_gdkpixbuf(), which manually frees reference-counted frame objects, leaving dangling pointers that callbacks can access post-cleanup. CVSS 7.8 (High) with local attack vector requiring user interaction. Fixed in version 1.8.7-r1. No confirmed active exploitation (CISA KEV), though proof-of-concept feasibility is high given the deterministic nature of the memory corruption.

Technical ContextAI

libsixel is a SIXEL graphics encoder/decoder library (CPE: cpe:2.3:a:saitoha:libsixel) supporting multiple image loading backends. When built with gdk-pixbuf2 integration (optional --with-gdk-pixbuf2 flag), the loader.c implementation contains a reference counting inconsistency mapped to CWE-416 (Use After Free). The sixel_frame_t object follows a refcounted lifecycle using sixel_frame_new() for allocation and sixel_frame_unref() for cleanup in most code paths. However, load_with_gdkpixbuf() diverges by directly calling free() on both the frame object and its internal buffers without decrementing the reference count. This violates the object's lifetime contract: public callbacks that legitimately call sixel_frame_ref(frame) to retain ownership receive a logically valid reference that becomes a dangling pointer when sixel_helper_load_image_file() returns. The parallel load_with_builtin() function correctly uses sixel_frame_unref(), demonstrating the architectural inconsistency. AddressSanitizer confirms the temporal memory safety violation during subsequent frame field accesses.

RemediationAI

Upgrade to libsixel version 1.8.7-r1 or later, which resolves the use-after-free by ensuring consistent reference counting across all image loader backends. The fix is available from the official release at https://github.com/saitoha/libsixel/releases/tag/v1.8.7-r1. Organizations must rebuild and redeploy all applications linking against libsixel. As a temporary workaround for environments unable to immediately patch, disable gdk-pixbuf2 support by recompiling libsixel without the --with-gdk-pixbuf2 flag and using alternative image loading backends, though this may reduce format compatibility. Application-level mitigations include restricting image processing to trusted sources and running libsixel-dependent processes in sandboxed environments with limited privileges to contain potential exploitation impact.

CVE-2019-20140 HIGH POC
8.8 Dec 30

An issue was discovered in libsixel 1.8.4. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, n

CVE-2019-20094 HIGH POC
8.8 Dec 30

An issue was discovered in libsixel 1.8.4. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, n

CVE-2019-20205 HIGH POC
8.8 Jan 02

libsixel 1.8.4 has an integer overflow in sixel_frame_resize in frame.c. Rated high severity (CVSS 8.8), this vulnerabil

CVE-2021-41715 HIGH POC
8.8 Apr 08

libsixel 1.10.0 is vulnerable to Use after free in libsixel/src/dither.c:379. Rated high severity (CVSS 8.8), this vulne

CVE-2020-21548 HIGH POC
8.8 Sep 17

Libsixel 1.8.3 contains a heap-based buffer overflow in the sixel_encode_highcolor function in tosixel.c. Rated high sev

CVE-2020-21547 HIGH POC
8.8 Sep 17

Libsixel 1.8.2 contains a heap-based buffer overflow in the dither_func_fs function in tosixel.c. Rated high severity (C

CVE-2019-19778 HIGH POC
8.8 Dec 13

An issue was discovered in libsixel 1.8.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, n

CVE-2019-19777 HIGH POC
8.8 Dec 13

stb_image.h (aka the stb image loader) 2.23, as used in libsixel and other products, has a heap-based buffer over-read i

CVE-2021-40656 HIGH POC
8.8 Apr 08

libsixel before 1.10 is vulnerable to Buffer Overflow in libsixel/src/quant.c:867. Rated high severity (CVSS 8.8), this

CVE-2022-27044 HIGH POC
8.8 Apr 08

libsixel 1.8.6 is affected by Buffer Overflow in libsixel/src/quant.c:876. Rated high severity (CVSS 8.8), this vulnerab

CVE-2022-27046 HIGH POC
8.8 Apr 08

libsixel 1.8.6 suffers from a Heap Use After Free vulnerability in in libsixel/src/dither.c:388. Rated high severity (CV

CVE-2019-3574 HIGH POC
7.8 Jan 02

In libsixel v1.8.2, there is a heap-based buffer over-read in the function load_jpeg() in the file loader.c, as demonstr

Vendor StatusVendor

SUSE

Severity: High

Share

EUVD-2026-22748 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy