Description
libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. In versions 1.8.7 and prior, when built with the --with-gdk-pixbuf2 option, a use-after-free vulnerability exists in load_with_gdkpixbuf() in loader.c. The cleanup path manually frees the sixel_frame_t object and its internal buffers without consulting the reference count, even though the object was created via the refcounted constructor sixel_frame_new() and exposed to the public callback. A callback that calls sixel_frame_ref(frame) to retain a logically valid reference will hold a dangling pointer after sixel_helper_load_image_file() returns, and any subsequent access to the frame or its fields triggers a use-after-free confirmed by AddressSanitizer. The root cause is a consistency failure between two cleanup strategies in the same codebase: sixel_frame_unref() is used in load_with_builtin() but raw free() is used in load_with_gdkpixbuf(). An attacker supplying a crafted image to any application built against libsixel with gdk-pixbuf2 support can trigger this reliably, potentially leading to information disclosure, memory corruption, or code execution. This issue has been fixed in version 1.8.7-r1.
Published: 2026-04-14
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Use‑After‑Free that can lead to code execution
Action: Patch
AI Analysis

Impact

The vulnerability is a use‑after‑free flaw in the load_with_gdkpixbuf() routine of libsixel. The routine frees the internal sixel_frame_t object directly, disregarding its reference count, and clients can release a valid frame reference before the cleanup. When a subsequent access occurs, a dangling pointer is dereferenced, which is confirmed by AddressSanitizer and can result in information disclosure, memory corruption, or arbitrary code execution. The weakness is a classic reference‑counting error described by CWE‑416 and CWE‑825.

Affected Systems

Products affected are those built with saitoha/libsixel when the --with-gdk-pixbuf2 option is enabled and using version 1.8.7 or earlier. The issue is fixed in release 1.8.7‑r1.

Risk and Exploitability

The CVSS score is 7.8, indicating a High severity. No EPSS score is available, and the vulnerability is not included in the CISA KEV catalog. An attacker can reliably trigger the flaw by supplying a specially crafted image to any application that loads images via libsixel with gdk‑pixbuf2 support, thereby executing the exploit without needing additional privileges.

Generated by OpenCVE AI on April 15, 2026 at 13:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update libsixel to version 1.8.7‑r1 or later.
  • Rebuild all dependent applications with the updated libsixel library to ensure the use‑after‑free fix is applied.
  • If an upgrade is not immediately possible, disable the gdk‑pixbuf2 support or restrict image inputs to trusted sources in applications that use older libsixel.

Generated by OpenCVE AI on April 15, 2026 at 13:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:saitoha:libsixel:*:*:*:*:*:*:*:*

Wed, 15 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Saitoha
Saitoha libsixel
Vendors & Products Saitoha
Saitoha libsixel

Wed, 15 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 14 Apr 2026 22:30:00 +0000

Type Values Removed Values Added
Description libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. In versions 1.8.7 and prior, when built with the --with-gdk-pixbuf2 option, a use-after-free vulnerability exists in load_with_gdkpixbuf() in loader.c. The cleanup path manually frees the sixel_frame_t object and its internal buffers without consulting the reference count, even though the object was created via the refcounted constructor sixel_frame_new() and exposed to the public callback. A callback that calls sixel_frame_ref(frame) to retain a logically valid reference will hold a dangling pointer after sixel_helper_load_image_file() returns, and any subsequent access to the frame or its fields triggers a use-after-free confirmed by AddressSanitizer. The root cause is a consistency failure between two cleanup strategies in the same codebase: sixel_frame_unref() is used in load_with_builtin() but raw free() is used in load_with_gdkpixbuf(). An attacker supplying a crafted image to any application built against libsixel with gdk-pixbuf2 support can trigger this reliably, potentially leading to information disclosure, memory corruption, or code execution. This issue has been fixed in version 1.8.7-r1.
Title libsixel: Use-after-free in load_with_gdkpixbuf()
Weaknesses CWE-416
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Saitoha Libsixel
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-15T20:02:36.839Z

Reserved: 2026-03-17T17:22:14.667Z

Link: CVE-2026-33023

cve-icon Vulnrichment

Updated: 2026-04-15T18:53:07.970Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-14T23:16:27.820

Modified: 2026-04-23T14:46:46.827

Link: CVE-2026-33023

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-14T22:05:31Z

Links: CVE-2026-33023 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T14:31:57Z

Weaknesses