Description
libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. Versions 1.8.7 and prior contain an integer overflow leading to an out-of-bounds heap read in the --crop option handling of img2sixel, where positive coordinates up to INT_MAX are accepted without overflow-safe bounds checking. In sixel_encoder_do_clip(), the expression clip_w + clip_x overflows to a large negative value when clip_x is INT_MAX, causing the bounds guard to be skipped entirely, and the unclamped coordinate is passed through sixel_frame_clip() to clip(), which computes a source pointer far beyond the image buffer and passes it to memmove(). An attacker supplying a specially crafted crop argument with any valid image can trigger an out-of-bounds read in the heap, resulting in a reliable crash and potential information disclosure. This issue has been fixed in version 1.8.7-r1.
Published: 2026-04-14
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch Now
AI Analysis

Impact

A bug in libsixel's img2sixel command causes an integer overflow when processing the --crop option. Positive coordinates up to INT_MAX are accepted without safe bounds checks, leading to a negative width calculation that skips the bounds guard. The resulting out‑of‑bounds read occurs during a memmove, causing a crash and exposing data from the heap. The flaw can disclose sensitive information present in the process memory. This is a classic out‑of‑bounds read (CWE‑125) exacerbated by an integer overflow (CWE‑190).

Affected Systems

The vulnerability affects the libsixel library version 1.8.7 and earlier distributed by saitoha. Any system that runs the img2sixel tool with the --crop parameter and provides a crafted coordinate can be impacted.

Risk and Exploitability

The CVSS base score is 7.1, indicating high severity. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog. An attacker would need to supply a specially crafted crop argument, which is typically a local user or a process that controls input to img2sixel. Based on the description, the attack vector is inferred to be local; there is no evidence of remote exploitation via network interfaces. The vulnerability is exploitable when input validation is bypassed, making it a reliable crash with the potential to leak memory contents.

Generated by OpenCVE AI on April 14, 2026 at 23:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade libsixel to version 1.8.7‑r1 or newer, which contains the patch for the integer overflow.
  • If an upgrade is not immediately possible, completely disable or remove usage of the --crop option when invoking img2sixel, or replace it with a validated wrapper that rejects coordinates outside the image bounds.
  • Validate any externally supplied crop coordinates before passing them to img2sixel to ensure they are within the image dimensions, thereby preventing the overflow.

Generated by OpenCVE AI on April 14, 2026 at 23:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Saitoha
Saitoha libsixel
Vendors & Products Saitoha
Saitoha libsixel

Wed, 15 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 14 Apr 2026 22:00:00 +0000

Type Values Removed Values Added
Description libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. Versions 1.8.7 and prior contain an integer overflow leading to an out-of-bounds heap read in the --crop option handling of img2sixel, where positive coordinates up to INT_MAX are accepted without overflow-safe bounds checking. In sixel_encoder_do_clip(), the expression clip_w + clip_x overflows to a large negative value when clip_x is INT_MAX, causing the bounds guard to be skipped entirely, and the unclamped coordinate is passed through sixel_frame_clip() to clip(), which computes a source pointer far beyond the image buffer and passes it to memmove(). An attacker supplying a specially crafted crop argument with any valid image can trigger an out-of-bounds read in the heap, resulting in a reliable crash and potential information disclosure. This issue has been fixed in version 1.8.7-r1.
Title libsixel: Integer overflow leads to Out-of-bounds Read in img2sixel
Weaknesses CWE-125
CWE-190
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H'}

Subscriptions

Saitoha Libsixel
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-15T20:02:46.628Z

Reserved: 2026-03-17T17:22:14.667Z

Link: CVE-2026-33019

cve-icon Vulnrichment

Updated: 2026-04-15T18:54:38.859Z

cve-icon NVD

Status : Received

Published: 2026-04-14T22:16:30.380

Modified: 2026-04-15T20:16:35.007

Link: CVE-2026-33019

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-14T21:49:25Z

Links: CVE-2026-33019 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T14:31:57Z

Weaknesses