Description
libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. From to 1.8.7-r1, a signed integer overflow in the SIXEL parser's image-buffer doubling loop can lead to an out-of-bounds heap write in sixel_decode_raw_impl. context->pos_x grows by repeat_count on every sixel character with no upper bound check. Once pos_x approaches INT_MAX, the expression "pos_x + repeat_count" used to size the image buffer overflows signed int. Depending on how the overflow wraps, the resize check that should reject oversized buffers can be bypassed, after which a subsequent write computes a large attacker-influenced offset into image->data and writes past the allocation. Reachable from any caller that decodes attacker-supplied SIXEL data, including img2sixel. This vulnerability is fixed in 1.8.7-r2.
Published: 2026-05-14
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

libsixel, a SIXEL encoder/decoder library, contains a signed integer overflow in its parser. When the horizontal position counter increases with the repeat count from each SIXEL character, the calculation "pos_x + repeat_count" can exceed the maximum signed integer value. If this overflow occurs, the subsequent buffer resize check that should prevent oversized buffers can be bypassed, allowing a write to a large attacker‑controlled offset into the image data. This out‑of‑bounds heap write can corrupt memory, potentially giving an attacker the ability to execute arbitrary code. The vulnerability is reachable from any component that decodes user‑supplied SIXEL data, including the img2sixel utility.

Affected Systems

The flaw exists in versions of libsixel up to and including 1.8.7‑r1, which is maintained by saitoha. All releases prior to 1.8.7‑r2 are affected. Updating to 1.8.7‑r2 or later removes the integer‑overflow check and prevents the buffer overflow.

Risk and Exploitability

With a CVSS score of 7.1 and no EPSS data, the vulnerability is considered high risk. The attack vector is local to any process that accepts untrusted SIXEL data, so an attacker who can supply such data to a vulnerable application could trigger the heap corruption. The vulnerability is not listed in the CISA KEV catalog and no exploit is known to be actively used, but the lack of bounds checking makes exploitation plausible.

Generated by OpenCVE AI on May 14, 2026 at 21:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update libsixel to version 1.8.7‑r2 or later to eliminate the integer overflow and buffer overflow.
  • If an upgrade is not immediately possible, restrict or validate the length of incoming SIXEL data and reject requests that would cause repeat counts or position values near the integer limit.
  • Implement additional runtime protections such as Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) to make exploitation of any remaining memory corruption harder.

Generated by OpenCVE AI on May 14, 2026 at 21:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:saitoha:libsixel:*:*:*:*:*:*:*:*

Fri, 15 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Saitoha
Saitoha libsixel
Vendors & Products Saitoha
Saitoha libsixel

Thu, 14 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. From to 1.8.7-r1, a signed integer overflow in the SIXEL parser's image-buffer doubling loop can lead to an out-of-bounds heap write in sixel_decode_raw_impl. context->pos_x grows by repeat_count on every sixel character with no upper bound check. Once pos_x approaches INT_MAX, the expression "pos_x + repeat_count" used to size the image buffer overflows signed int. Depending on how the overflow wraps, the resize check that should reject oversized buffers can be bypassed, after which a subsequent write computes a large attacker-influenced offset into image->data and writes past the allocation. Reachable from any caller that decodes attacker-supplied SIXEL data, including img2sixel. This vulnerability is fixed in 1.8.7-r2.
Title libsixel: integer overflow in parser
Weaknesses CWE-190
CWE-787
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H'}

Subscriptions

Saitoha Libsixel
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-15T13:35:45.953Z

Reserved: 2026-05-07T15:30:10.875Z

Link: CVE-2026-44637

cve-icon Vulnrichment

Updated: 2026-05-15T13:35:37.124Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-14T20:17:08.847

Modified: 2026-05-15T17:55:03.837

Link: CVE-2026-44637

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T21:45:25Z

Weaknesses