Description
libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. From to 1.8.7-r1, a wrong NULL check after an allocation call in sixel_decode_raw and sixel_decode causes a NULL pointer dereference whenever the allocation fails. The check tests the address of the output parameter (always non-NULL) instead of the value the malloc returned. On allocation failure, the function continues and writes through a NULL pointer, crashing the process. This is a denial of service against any caller of these public APIs that hits a low-memory condition. This vulnerability is fixed in 1.8.7-r2.
Published: 2026-05-14
Score: 2.5 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A NULL pointer dereference is triggered due to an incorrect NULL check after memory allocation in the sixel_decode_raw and sixel_decode functions of libsixel. When the allocator returns NULL because of insufficient memory, the code mistakenly uses the always non‑NULL output pointer to write through a NULL pointer, causing the process using these public APIs to crash. The resulting effect is a denial‑of‑service toward any caller that encounters a low‑memory situation.

Affected Systems

The vulnerability affects the libsixel library distributed by saitoha. Versions beginning with the first release that contains the decoding functions and continuing through 1.8.7‑r1 are susceptible. The issue is resolved in the 1.8.7‑r2 update, which introduces the correct NULL check and removes the crash path. Users installing earlier releases should upgrade to 1.8.7‑r2 or a subsequent version that includes the fix.

Risk and Exploitability

The CVSS base score is 2.5, placing the vulnerability in the low severity range. The EPSS score is not available, and the vulnerability is not listed in CISA's KEV catalog, indicating that no known exploits are widespread. Nonetheless, the flaw can be triggered during a low‑memory condition that any application invoking the public decoding APIs might experience, potentially causing repeated service interruptions. Exploitation requires the attacker to induce memory exhaustion or otherwise force a failure of the allocation; therefore, the likelihood depends on the environment’s memory management practices.

Generated by OpenCVE AI on May 14, 2026 at 21:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade libsixel to version 1.8.7‑r2 or later, which removes the crash path.
  • If an update cannot be performed immediately, avoid calling sixel_decode_raw or sixel_decode while memory pressure is high; consider capping memory usage or temporarily disabling sixel‑related features.
  • Restart or redeploy services that use libsixel after applying the update to ensure the crash code path is no longer active.

Generated by OpenCVE AI on May 14, 2026 at 21:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:saitoha:libsixel:*:*:*:*:*:*:*:*

Fri, 15 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Saitoha
Saitoha libsixel
Vendors & Products Saitoha
Saitoha libsixel

Thu, 14 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. From to 1.8.7-r1, a wrong NULL check after an allocation call in sixel_decode_raw and sixel_decode causes a NULL pointer dereference whenever the allocation fails. The check tests the address of the output parameter (always non-NULL) instead of the value the malloc returned. On allocation failure, the function continues and writes through a NULL pointer, crashing the process. This is a denial of service against any caller of these public APIs that hits a low-memory condition. This vulnerability is fixed in 1.8.7-r2.
Title libsixel: NULL pointer dereference
Weaknesses CWE-476
CWE-690
References
Metrics cvssV3_1

{'score': 2.5, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L'}

Subscriptions

Saitoha Libsixel
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-15T14:18:03.581Z

Reserved: 2026-05-07T15:30:10.875Z

Link: CVE-2026-44638

cve-icon Vulnrichment

Updated: 2026-05-15T14:17:56.807Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-14T20:17:08.983

Modified: 2026-05-15T17:54:09.270

Link: CVE-2026-44638

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T22:00:09Z

Weaknesses