Tmux
Monthly
Use-after-free memory corruption in tmux's SIXEL image handling allows a local low-privileged attacker with high complexity to trigger memory corruption or denial of service in versions up to 3.6a. The root cause lies in the `image_free()` function in `image.c`, where image structs retain stale pointers to their original parent screen's image list after alternate screen transitions, causing `TAILQ_REMOVE` to dereference an invalid list pointer. No active exploitation is confirmed (not in CISA KEV), though publicly available exploit code exists per the CVE vector's E:P designation and a public gist from XlabAITeam. A fix is available in tmux 3.7-rc.
Use-after-free memory corruption in tmux's SIXEL image handling allows a local low-privileged attacker with high complexity to trigger memory corruption or denial of service in versions up to 3.6a. The root cause lies in the `image_free()` function in `image.c`, where image structs retain stale pointers to their original parent screen's image list after alternate screen transitions, causing `TAILQ_REMOVE` to dereference an invalid list pointer. No active exploitation is confirmed (not in CISA KEV), though publicly available exploit code exists per the CVE vector's E:P designation and a public gist from XlabAITeam. A fix is available in tmux 3.7-rc.