Skip to main content

tmux EUVD-2026-35297

| CVE-2026-11623 LOW
Use After Free (CWE-416)
2026-06-09 VulDB GHSA-4cw9-jpqf-99x8
Denial Of Service Use After Free Memory Corruption Tmux
1.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
1.1 LOW
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Source Code Evidence Fetched
Jun 09, 2026 - 05:29 vuln.today
Analysis Generated
Jun 09, 2026 - 05:29 vuln.today
Severity Changed
Jun 09, 2026 - 05:22 NVD
MEDIUM LOW
CVSS changed
Jun 09, 2026 - 05:22 NVD
4.5 (MEDIUM) 1.1 (LOW)

DescriptionCVE.org

A security vulnerability has been detected in tmux up to 3.6a. Affected is the function image_free of the file image.c. Such manipulation leads to use after free. Local access is required to approach this attack. This attack is characterized by high complexity. The exploitability is told to be difficult. The exploit has been disclosed publicly and may be used. Upgrading to version 3.7-rc is able to address this issue. The name of the patch is fc6d94a9f8a593bd8b7031650802084385d4ee03. The affected component should be upgraded.

AnalysisAI

Use-after-free memory corruption in tmux's SIXEL image handling allows a local low-privileged attacker with high complexity to trigger memory corruption or denial of service in versions up to 3.6a. The root cause lies in the image_free() function in image.c, where image structs retain stale pointers to their original parent screen's image list after alternate screen transitions, causing TAILQ_REMOVE to dereference an invalid list pointer. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local low-privilege shell access
Delivery
Launch or attach to SIXEL-enabled tmux session
Exploit
Load SIXEL image into terminal via image-rendering application
Execution
Trigger alternate screen on/off transitions to move images between list queues
Persist
Force image_free call on image struct with stale list pointer
Impact
Corrupt TAILQ linked-list structure causing crash or limited memory corruption
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Three specific prerequisites must all be met simultaneously: (1) tmux must be compiled with SIXEL support - the `ENABLE_SIXEL` preprocessor flag must be set at build time; many standard distribution packages omit this; (2) the attacker must have local system access with at least low-privilege credentials, per PR:L in the CVSS 4.0 vector - remote exploitation is not possible; (3) high attack complexity is required (AC:H per CVSS), meaning the attacker must trigger a precise sequence of SIXEL image loading followed by alternate screen transitions to produce stale list pointers before `image_free` is invoked. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 1.1 accurately reflects the genuine low risk of this vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local user with standard shell access on a system running a SIXEL-enabled tmux build opens a tmux session and uses a SIXEL-capable application (such as a terminal image viewer) to load images into the session. By triggering alternate screen transitions - for example, launching and exiting an application that activates the alternate screen - in a specific sequence while SIXEL images are loaded, the attacker causes image structs to retain stale list pointers. …
Remediation The primary fix is to upgrade tmux to version 3.7-rc or later, which contains patch commit fc6d94a9f8a593bd8b7031650802084385d4ee03, available at https://github.com/tmux/tmux/commit/fc6d94a9f8a593bd8b7031650802084385d4ee03 and as a tagged release at https://github.com/tmux/tmux/releases/tag/3.7-rc. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-35297 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy