CVE-2025-61146
Received Received - Intake
Memory Leak in saitoha libsixel malloc_stub.c Component

Publication date: 2026-02-23

Last updated on: 2026-04-23

Assigner: MITRE

Description
saitoha libsixel until v1.8.7 was discovered to contain a memory leak via the component malloc_stub.c.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-23
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-02-23
EPSS Evaluated
2026-06-15
NVD
CVE-2025-61146
EUVD
EUVD-2025-207617
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
saitoha libsixel to 1.8.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-401 The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-61146 is a memory leak vulnerability found in the libsixel library, specifically in versions up to and including v1.8.7.

The issue occurs in the malloc_stub.c component, particularly in the custom memory allocation function where allocated memory is not properly freed.

This improper memory management leads to a leak, meaning memory that is no longer needed is not released back to the system.

Impact Analysis

The memory leak caused by this vulnerability can lead to increased memory consumption over time.

If the affected function is invoked repeatedly, this can degrade system performance or stability due to exhaustion of available memory.

Compliance Impact

I don't know

Detection Guidance

The vulnerability CVE-2025-61146 is a memory leak in the libsixel library, specifically in the malloc_stub.c component. Detection involves monitoring for increased memory consumption or instability when the affected libsixel functions are invoked repeatedly.

A proof-of-concept (PoC) test is available that uses the converters/img2sixel tool with specific parameters to trigger the issue and check for expected exit codes (255 or 127). This test can help detect the presence of the vulnerability.

  • Run the PoC test located at tests/issue/207/poc using the command: `converters/img2sixel -h 50% -r lanczos3 -w 300px`
  • Compile the tool with AddressSanitizer enabled to detect memory errors: use the build target `issue-207-vexe` which compiles with `-fsanitize=address`.
Mitigation Strategies

The immediate mitigation step is to update libsixel to a version later than v1.8.7 where the memory leak has been fixed.

The fix involves freeing previously allocated pixel memory in the gif_init_frame() function before allocating new memory, preventing the leak.

If updating is not immediately possible, running the PoC test and monitoring memory usage can help identify exploitation attempts.

Additionally, recompiling the library or tools with AddressSanitizer enabled can help detect memory leaks during testing and development.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-61146. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart