Description
libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. From to 1.8.7-r1, signed integer overflow in sixel_encode_highcolor's allocation size calculation can lead to a heap buffer overflow. The public sixel_encode entry point validates only that width and height are greater than zero, with no upper bound. width and height are multiplied as plain int when computing the allocation size for paletted_pixels and normalized_pixels. Any caller that asks libsixel to encode a pixel buffer with width times height greater than INT_MAX (about 2.15 billion) will hit a wrapped allocation size; under the right wrap, the malloc succeeds with a buffer much smaller than the encoder expects, and the encoder writes past the end of the heap allocation. This vulnerability is fixed in 1.8.7-r2.
Published: 2026-05-14
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

libsixel is a SIXEL encoder/decoder library where a signed integer overflow occurs in the calculation of allocation size inside sixel_encode_highcolor. When a caller supplies a pixel buffer whose width multiplied by height exceeds INT_MAX (~2.15 billion), the multiplication wraps, producing a truncated allocation size. The malloc then allocates a buffer that is too small for the data the encoder writes. This heap buffer overflow can allow an attacker to overwrite adjacent memory, potentially enabling arbitrary code execution or service disruption.

Affected Systems

Affected products are the libsixel library provided by Saitoha under the package name saitoha:libsixel. Versions up to and including 1.8.7‑r1 are vulnerable. Applications that embed libsixel for image rendering or processing should verify the version, as any software using the unpatched library is at risk.

Risk and Exploitability

The CVSS score of 7.4 describes a high severity flaw. Although the EPSS score is not available, the lack of KEV listing suggests no widespread exploitation yet, but the flaw remains exploitable if an attacker can supply a large image to a vulnerable encoder. The attack vector is likely remote through any interface that feeds pixel data to libsixel; local exploitation is also possible if an application runs with elevated privileges. The absence of mitigations from the library itself means a carefully crafted payload could trigger a memory overwrite with resulting code execution.

Generated by OpenCVE AI on May 14, 2026 at 21:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade libsixel to version 1.8.7‑r2 or newer, where the overflow has been fixed.
  • If an upgrade cannot be performed immediately, add an application‑level check on image dimensions that rejects or caps width and height values so that width × height does not exceed INT_MAX before calling sixel_encode or sixel_encode_highcolor.
  • Compile and deploy a patched copy of libsixel from the upstream repository that incorporates the fixed logic if the packaged version cannot be upgraded.
  • Restart any services using libsixel after applying the patch or confirming the binary includes the corrected code path.

Generated by OpenCVE AI on May 14, 2026 at 21:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:saitoha:libsixel:*:*:*:*:*:*:*:*

Thu, 14 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Saitoha
Saitoha libsixel
Vendors & Products Saitoha
Saitoha libsixel

Thu, 14 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. From to 1.8.7-r1, signed integer overflow in sixel_encode_highcolor's allocation size calculation can lead to a heap buffer overflow. The public sixel_encode entry point validates only that width and height are greater than zero, with no upper bound. width and height are multiplied as plain int when computing the allocation size for paletted_pixels and normalized_pixels. Any caller that asks libsixel to encode a pixel buffer with width times height greater than INT_MAX (about 2.15 billion) will hit a wrapped allocation size; under the right wrap, the malloc succeeds with a buffer much smaller than the encoder expects, and the encoder writes past the end of the heap allocation. This vulnerability is fixed in 1.8.7-r2.
Title libsixel: integer overflow in encoder
Weaknesses CWE-122
CWE-190
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Saitoha Libsixel
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T20:01:27.050Z

Reserved: 2026-05-07T15:30:10.875Z

Link: CVE-2026-44636

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-14T20:17:08.703

Modified: 2026-05-15T17:56:42.730

Link: CVE-2026-44636

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T21:45:25Z

Weaknesses