Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
9DescriptionGitHub Advisory
libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. In versions 1.8.7 and prior, when built with the --with-gdk-pixbuf2 option, a use-after-free vulnerability exists in load_with_gdkpixbuf() in loader.c. The cleanup path manually frees the sixel_frame_t object and its internal buffers without consulting the reference count, even though the object was created via the refcounted constructor sixel_frame_new() and exposed to the public callback. A callback that calls sixel_frame_ref(frame) to retain a logically valid reference will hold a dangling pointer after sixel_helper_load_image_file() returns, and any subsequent access to the frame or its fields triggers a use-after-free confirmed by AddressSanitizer. The root cause is a consistency failure between two cleanup strategies in the same codebase: sixel_frame_unref() is used in load_with_builtin() but raw free() is used in load_with_gdkpixbuf(). An attacker supplying a crafted image to any application built against libsixel with gdk-pixbuf2 support can trigger this reliably, potentially leading to information disclosure, memory corruption, or code execution. This issue has been fixed in version 1.8.7-r1.
AnalysisAI
Use-after-free in libsixel's gdk-pixbuf2 loader enables local attackers to achieve code execution via crafted images. Affects libsixel versions through 1.8.7 when compiled with --with-gdk-pixbuf2 option. The vulnerability stems from inconsistent memory management in load_with_gdkpixbuf(), which manually frees reference-counted frame objects, leaving dangling pointers that callbacks can access post-cleanup. CVSS 7.8 (High) with local attack vector requiring user interaction. Fixed in version 1.8.7-r1. No confirmed active exploitation (CISA KEV), though proof-of-concept feasibility is high given the deterministic nature of the memory corruption.
Technical ContextAI
libsixel is a SIXEL graphics encoder/decoder library (CPE: cpe:2.3:a:saitoha:libsixel) supporting multiple image loading backends. When built with gdk-pixbuf2 integration (optional --with-gdk-pixbuf2 flag), the loader.c implementation contains a reference counting inconsistency mapped to CWE-416 (Use After Free). The sixel_frame_t object follows a refcounted lifecycle using sixel_frame_new() for allocation and sixel_frame_unref() for cleanup in most code paths. However, load_with_gdkpixbuf() diverges by directly calling free() on both the frame object and its internal buffers without decrementing the reference count. This violates the object's lifetime contract: public callbacks that legitimately call sixel_frame_ref(frame) to retain ownership receive a logically valid reference that becomes a dangling pointer when sixel_helper_load_image_file() returns. The parallel load_with_builtin() function correctly uses sixel_frame_unref(), demonstrating the architectural inconsistency. AddressSanitizer confirms the temporal memory safety violation during subsequent frame field accesses.
RemediationAI
Upgrade to libsixel version 1.8.7-r1 or later, which resolves the use-after-free by ensuring consistent reference counting across all image loader backends. The fix is available from the official release at https://github.com/saitoha/libsixel/releases/tag/v1.8.7-r1. Organizations must rebuild and redeploy all applications linking against libsixel. As a temporary workaround for environments unable to immediately patch, disable gdk-pixbuf2 support by recompiling libsixel without the --with-gdk-pixbuf2 flag and using alternative image loading backends, though this may reduce format compatibility. Application-level mitigations include restricting image processing to trusted sources and running libsixel-dependent processes in sandboxed environments with limited privileges to contain potential exploitation impact.
An issue was discovered in libsixel 1.8.4. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, n
An issue was discovered in libsixel 1.8.4. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, n
libsixel 1.8.4 has an integer overflow in sixel_frame_resize in frame.c. Rated high severity (CVSS 8.8), this vulnerabil
libsixel 1.10.0 is vulnerable to Use after free in libsixel/src/dither.c:379. Rated high severity (CVSS 8.8), this vulne
Libsixel 1.8.3 contains a heap-based buffer overflow in the sixel_encode_highcolor function in tosixel.c. Rated high sev
Libsixel 1.8.2 contains a heap-based buffer overflow in the dither_func_fs function in tosixel.c. Rated high severity (C
An issue was discovered in libsixel 1.8.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, n
stb_image.h (aka the stb image loader) 2.23, as used in libsixel and other products, has a heap-based buffer over-read i
libsixel before 1.10 is vulnerable to Buffer Overflow in libsixel/src/quant.c:867. Rated high severity (CVSS 8.8), this
libsixel 1.8.6 is affected by Buffer Overflow in libsixel/src/quant.c:876. Rated high severity (CVSS 8.8), this vulnerab
libsixel 1.8.6 suffers from a Heap Use After Free vulnerability in in libsixel/src/dither.c:388. Rated high severity (CV
In libsixel v1.8.2, there is a heap-based buffer over-read in the function load_jpeg() in the file loader.c, as demonstr
Same weakness CWE-416 – Use After Free
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22748