Description
libcaca is a colour ASCII art library. In 0.99.beta20 and earlier, an integer overflow vulnerability in libcaca's canvas import functionality allows an attacker to cause a controlled heap out-of-bounds write (heap overflow) by supplying a crafted file in the "caca" format. Depending on the build configuration and memory allocator, this may lead to memory corruption or remote code execution. This is the same vulnerability as CVE-2021-3410 but the fix at that time was not fully correct. Commit fb77acff9ba6bb01d53940da34fb10f20b156a23 fixes this vulnerability.
Published: 2026-05-11
Score: 7.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An integer overflow in libcaca’s canvas import functionality causes a controlled heap out‑of‑bounds write. If an attacker supplies a crafted file in the "caca" format, the overflow may corrupt memory or enable remote code execution. The vulnerability is identical to CVE-2021-3410 but the initial fix was incomplete; the commit fb77acff9ba6bb01d53940da34fb10f20b156a23 now fully resolves the flaw.

Affected Systems

The affected vendor is cacalabs, product libcaca. Versions 0.99.beta20 and all older releases are impacted, because the heap overflow occurs in the pre‑beta20 code paths of the canvas import functions. Any installation that links against an unpatched libcaca library and processes untrusted "caca" format files is susceptible.

Risk and Exploitability

The CVSS base score is 7.8, indicating high severity. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to provide a malicious file to the application’s import routine; thus the likely attack vector is local file‑based. If the affected application accepts files from network or other untrusted sources, remote execution may be possible, making the risk significant in those contexts.

Generated by OpenCVE AI on May 11, 2026 at 23:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade libcaca to a version that includes commit fb77acff9ba6bb01d53940da34fb10f20b156a23, which fully patches the integer overflow.
  • Rebuild or reinstall any dependent applications to ensure they link against the patched libcaca library.
  • If the application cannot be updated immediately, disable or restrict the canvas import functionality to trusted users or sandbox the import process to isolate potential memory corruption.

Generated by OpenCVE AI on May 11, 2026 at 23:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 22:00:00 +0000

Type Values Removed Values Added
Description libcaca is a colour ASCII art library. In 0.99.beta20 and earlier, an integer overflow vulnerability in libcaca's canvas import functionality allows an attacker to cause a controlled heap out-of-bounds write (heap overflow) by supplying a crafted file in the "caca" format. Depending on the build configuration and memory allocator, this may lead to memory corruption or remote code execution. This is the same vulnerability as CVE-2021-3410 but the fix at that time was not fully correct. Commit fb77acff9ba6bb01d53940da34fb10f20b156a23 fixes this vulnerability.
Title libcaca: Heap OOB write in canvas import functions caused by int overflow
Weaknesses CWE-122
CWE-190
CWE-787
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-11T21:23:35.259Z

Reserved: 2026-04-23T16:05:01.709Z

Link: CVE-2026-42046

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-11T22:22:11.130

Modified: 2026-05-11T22:22:11.130

Link: CVE-2026-42046

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T23:45:03Z

Weaknesses