CVE-2026-11623 - Vulnerability Details

- tmux image.c image_free use after free

Description

A security vulnerability has been detected in tmux up to 3.6a. Affected is the function image_free of the file image.c. Such manipulation leads to use after free. Local access is required to approach this attack. This attack is characterized by high complexity. The exploitability is told to be difficult. The exploit has been disclosed publicly and may be used. Upgrading to version 3.7-rc is able to address this issue. The name of the patch is fc6d94a9f8a593bd8b7031650802084385d4ee03. The affected component should be upgraded.

Published: 2026-06-09

Score: 2 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A vulnerability in tmux up to version 3.6a triggers a use‑after‑free condition in the image_free function of image.c. The flaw results from freeing memory that has already been released, causing potential memory corruption of the tmux process.

Affected Systems

This issue affects all versions of the tmux terminal multiplexer through 3.6a. The release candidate 3.7‑rc contains a patch that removes the dangling pointer; thus, versions 3.7‑rc and later are considered mitigated.

Risk and Exploitability

The CVSS score of 2.0 indicates low severity. The EPSS score of <1% signals a very low likelihood of exploitation, and the vulnerability is not listed in CISA's KEV catalog. Local access is required to interact with a tmux session, and the exploit is described as high complexity and difficult to execute. These factors reduce the practical threat to any local attacker.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

tmux

affected

Version	Status	Constraints
`3.6a`	affected	—
`3.7-rc`	unaffected	—

No data.

Vendor Product Confidence Versions

Tmux

95%

Version	Status	Scheme	Platform
`3.6a`	affected	generic	—
`3.7-rc`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the tmux 3.7‑rc patch or later to eliminate the use‑after‑free flaw.
If upgrading is not possible, disable image processing in tmux or restrict image usage to trusted users.
Limit local user access to tmux sessions so that only authorized users can interact with the process.

Generated by OpenCVE AI on June 13, 2026 at 02:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Ubuntu USN	USN-8428-1	tmux vulnerability

Attack Vector Local

Attack Complexity High

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Local

Access Complexity High

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00124.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://gist.github.com/XlabAITeam/f0d9952595f795129a3258ba73bbc3cb
https://github.com/tmux/tmux/
https://github.com/tmux/tmux/commit/fc6d94a9f8a593bd8b7031650802084385d4ee03
https://github.com/tmux/tmux/releases/tag/3.7-rc
https://nvd.nist.gov/vuln/detail/CVE-2026-11623
https://vuldb.com/cve/CVE-2026-11623
https://vuldb.com/submit/835623
https://vuldb.com/vuln/369303
https://vuldb.com/vuln/369303/cti
https://www.cve.org/CVERecord?id=CVE-2026-11623

History

Sat, 13 Jun 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-825
References		https://nvd.nist.gov/vuln/detail/CVE-2026-11623 https://www.cve.org/CVERecord?id=CVE-2026-11623
Metrics	threat_severity `None`	threat_severity `Low`

Tue, 09 Jun 2026 15:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 09 Jun 2026 04:45:00 +0000

Type	Values Removed	Values Added
Description		A security vulnerability has been detected in tmux up to 3.6a. Affected is the function image_free of the file image.c. Such manipulation leads to use after free. Local access is required to approach this attack. This attack is characterized by high complexity. The exploitability is told to be difficult. The exploit has been disclosed publicly and may be used. Upgrading to version 3.7-rc is able to address this issue. The name of the patch is fc6d94a9f8a593bd8b7031650802084385d4ee03. The affected component should be upgraded.
Title		tmux image.c image_free use after free
First Time appeared		Tmux Tmux tmux
Weaknesses		CWE-119 CWE-416
CPEs		cpe:2.3:a:tmux:tmux::::::::
Vendors & Products		Tmux Tmux tmux
References		https://gist.github.com/XlabAITeam/f0d9952595f795129a3258ba73bbc3cb https://github.com/tmux/tmux/ https://github.com/tmux/tmux/commit/fc6d94a9f8a593bd8b7031650802084385d4ee03 https://github.com/tmux/tmux/releases/tag/3.7-rc https://vuldb.com/cve/CVE-2026-11623 https://vuldb.com/submit/835623 https://vuldb.com/vuln/369303 https://vuldb.com/vuln/369303/cti
Metrics		cvssV2_0 `{'score': 3.5, 'vector': 'AV:L/AC:H/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}` cvssV3_0 `{'score': 4.5, 'vector': 'CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}` cvssV3_1 `{'score': 4.5, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}` cvssV4_0 `{'score': 2, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Tmux Tmux

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-06-09T03:15:12.467Z

Updated: 2026-06-23T04:49:28.666Z

Reserved: 2026-06-08T20:19:58.448Z

Link: CVE-2026-11623

Vulnrichment

Updated: 2026-06-09T13:28:41.726Z

NVD

Status : Deferred

Published: 2026-06-09T05:16:30.227

Modified: 2026-06-09T13:33:34.393

Link: CVE-2026-11623

Redhat

Severity : Low

Publid Date: 2026-06-09T03:15:12Z

Links: CVE-2026-11623 - Bugzilla

OpenCVE Enrichment

Updated: 2026-06-13T03:00:06Z

Weaknesses

CWE-119
Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-416
Use After Free
CWE-825
Expired Pointer Dereference

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Local

Access Complexity High

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object