Description
libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. Versions 1.8.7 and prior contain a Use-After-Free vulnerability via the load_gif() function in fromgif.c, where a single sixel_frame_t object is reused across all frames of an animated GIF and gif_init_frame() unconditionally frees and reallocates frame->pixels between frames without consulting the object's reference count. Because the public API explicitly provides sixel_frame_ref() to retain a frame and sixel_frame_get_pixels() to access the raw pixel buffer, a callback following this documented usage pattern will hold a dangling pointer after the second frame is decoded, resulting in a heap use-after-free confirmed by ASAN. Any application using sixel_helper_load_image_file() with a multi-frame callback to process user-supplied animated GIFs is affected, with a reliable crash as the minimum impact and potential for code execution. This issue has been fixed in version 1.8.7-r1.
Published: 2026-04-14
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: Potential Code Execution via Use-After-Free
Action: Apply Patch
AI Analysis

Impact

A Use-After-Free condition arises in the load_gif() function of libsixel when handling animated GIFs. The function reuses a single sixel_frame_t object for each frame and frees its pixel buffer unconditionally, without checking the reference count. When a user-supplied callback follows the documented reference pattern, it may access a dangling pointer after decoding the second frame, which has been confirmed by AddressSanitizer. This leads to a reliable crash and, if an attacker controls memory layout, can be leveraged for arbitrary code execution.

Affected Systems

The library affected is saitoha:libsixel, version 1.8.7 and all earlier releases. The fix was released in version 1.8.7-r1; any application linking against an unpatched library and calling sixel_helper_load_image_file() with a multi‑frame callback on user‑supplied animated GIFs is impacted.

Risk and Exploitability

The CVSS score of 7 indicates a high severity, but the EPSS score is unavailable, so current exploitation likelihood is unknown. The vulnerability is not present in CISA’s KEV catalog, implying no confirmed widespread exploitation yet. Attackers would need to supply a malicious animated GIF to a vulnerable application; the use‑after‑free provides a crash baseline, and if the attacker can influence heap contents, code execution is possible. Successful exploitation typically requires the victim process to have sufficient privileges to compromise the host. The documented usage pattern it straightforward for an attacker to trigger the flaw if they can manipulate the callback.

Generated by OpenCVE AI on April 15, 2026 at 13:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade libsixel to version 1.8.7-r1 or later, which removes the Use-After-Free by guarding the pixel buffer against unchecked frees.
  • If upgrading is not immediately possible, avoid passing animated GIFs to sixel_helper_load_image_file() or bypass the multi‑frame callback, ensuring only single‑frame images are processed.
  • Implement input validation to reject any file with more than one animation frame before invoking the decoder, or sanitize the callback to avoid using intermediate frame buffers after they are freed.

Generated by OpenCVE AI on April 15, 2026 at 13:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Saitoha
Saitoha libsixel
Vendors & Products Saitoha
Saitoha libsixel

Wed, 15 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 14 Apr 2026 22:00:00 +0000

Type Values Removed Values Added
Description libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. Versions 1.8.7 and prior contain a Use-After-Free vulnerability via the load_gif() function in fromgif.c, where a single sixel_frame_t object is reused across all frames of an animated GIF and gif_init_frame() unconditionally frees and reallocates frame->pixels between frames without consulting the object's reference count. Because the public API explicitly provides sixel_frame_ref() to retain a frame and sixel_frame_get_pixels() to access the raw pixel buffer, a callback following this documented usage pattern will hold a dangling pointer after the second frame is decoded, resulting in a heap use-after-free confirmed by ASAN. Any application using sixel_helper_load_image_file() with a multi-frame callback to process user-supplied animated GIFs is affected, with a reliable crash as the minimum impact and potential for code execution. This issue has been fixed in version 1.8.7-r1.
Title libsixel: Use-After-Free in load_gif()
Weaknesses CWE-416
References
Metrics cvssV3_1

{'score': 7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Saitoha Libsixel
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-16T13:53:25.060Z

Reserved: 2026-03-17T17:22:14.666Z

Link: CVE-2026-33018

cve-icon Vulnrichment

Updated: 2026-04-16T13:53:05.842Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-14T22:16:30.213

Modified: 2026-04-17T15:38:09.243

Link: CVE-2026-33018

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-14T21:45:42Z

Links: CVE-2026-33018 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T14:31:57Z

Weaknesses