Description
libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. Versions 1.8.7 and prior contain a use-after-free vulnerability in sixel_encoder_encode_bytes() because sixel_frame_init() stores the caller-owned pixel buffer pointer directly in frame->pixels without making a defensive copy. When a resize operation is triggered, sixel_frame_convert_to_rgb888() unconditionally frees this caller-owned buffer and replaces it with a new internal allocation, leaving the caller with a dangling pointer. Any subsequent access to the original buffer by the caller constitutes a use-after-free, confirmed by AddressSanitizer. An attacker who controls incoming frames can trigger this bug repeatedly and predictably, resulting in a reliable crash with potential for code execution. This issue has been fixed in version 1.8.7-r1.
Published: 2026-04-14
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Use‑after‑FREE potentially leading to crash or execution
Action: Patch
AI Analysis

Impact

libsixel, a SIXEL encoder/decoder, has a use‑after‑free flaw in sixel_encoder_encode_bytes() for versions 1.8.7 and earlier. The flaw occurs because sixel_frame_init() stores a caller‑owned pixel buffer directly without copying, and a subsequent resize triggers sixel_frame_convert_to_rgb888() to free that external buffer, leaving a dangling pointer. If the caller then accesses the original buffer, a crash occurs. The vendor’s AddressSanitizer testing indicates that repeated, predictable triggering could also enable code execution, although this is not a confirmed remote code execution vulnerability.

Affected Systems

The saitoha:libsixel packages up to and including 1.8.7 are affected. The release 1.8.7‑r1 resolves the issue by making a defensive copy of pixel data, eliminating the dangling pointer.

Risk and Exploitability

With a CVSS score of 7.3, the vulnerability is considered high severity. The EPSS score is under 1%, suggesting a low probability of opportunistic exploitation, and it is not listed in CISA’s KEV catalog. An attacker who can supply crafted SIXEL frames can reliably trigger the flaw, causing crashes or possibly execution, especially in untrusted input scenarios. Overall, the risk warrants prompt remediation.

Generated by OpenCVE AI on April 15, 2026 at 14:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the libsixel package to version 1.8.7‑r1 or later, which copies pixel buffers internally and addresses CWE‑416 and CWE‑825.
  • Ensure that any caller‑owned buffers passed to sixel_encoder_encode_bytes() are not freed by the library by audit or by avoiding passing external buffers if they might be freed during conversion.
  • Validate all incoming SIXEL frames before encoding; reject frames with unexpected size or content, and use safe parsing to mitigate the use‑after‑free condition.

Generated by OpenCVE AI on April 15, 2026 at 14:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:saitoha:libsixel:*:*:*:*:*:*:*:*

Thu, 16 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Saitoha
Saitoha libsixel
Vendors & Products Saitoha
Saitoha libsixel

Wed, 15 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 14 Apr 2026 22:30:00 +0000

Type Values Removed Values Added
Description libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. Versions 1.8.7 and prior contain a use-after-free vulnerability in sixel_encoder_encode_bytes() because sixel_frame_init() stores the caller-owned pixel buffer pointer directly in frame->pixels without making a defensive copy. When a resize operation is triggered, sixel_frame_convert_to_rgb888() unconditionally frees this caller-owned buffer and replaces it with a new internal allocation, leaving the caller with a dangling pointer. Any subsequent access to the original buffer by the caller constitutes a use-after-free, confirmed by AddressSanitizer. An attacker who controls incoming frames can trigger this bug repeatedly and predictably, resulting in a reliable crash with potential for code execution. This issue has been fixed in version 1.8.7-r1.
Title libsixel: Use-after-free in sixel_encoder_encode_bytes()
Weaknesses CWE-416
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H'}

Subscriptions

Saitoha Libsixel
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-16T13:54:36.177Z

Reserved: 2026-03-17T17:22:14.667Z

Link: CVE-2026-33021

cve-icon Vulnrichment

Updated: 2026-04-16T13:54:28.675Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-14T23:16:27.660

Modified: 2026-04-23T14:23:26.220

Link: CVE-2026-33021

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-14T21:57:22Z

Links: CVE-2026-33021 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T14:31:57Z

Weaknesses