CVE-2025-61146
Memory Leak in saitoha libsixel malloc_stub.c Component
Publication date: 2026-02-23
Last updated on: 2026-04-23
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| saitoha | libsixel | to 1.8.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-401 | The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-61146 is a memory leak vulnerability found in the libsixel library, specifically in versions up to and including v1.8.7.
The issue occurs in the malloc_stub.c component, particularly in the custom memory allocation function where allocated memory is not properly freed.
This improper memory management leads to a leak, meaning memory that is no longer needed is not released back to the system.
How can this vulnerability impact me? :
The memory leak caused by this vulnerability can lead to increased memory consumption over time.
If the affected function is invoked repeatedly, this can degrade system performance or stability due to exhaustion of available memory.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability CVE-2025-61146 is a memory leak in the libsixel library, specifically in the malloc_stub.c component. Detection involves monitoring for increased memory consumption or instability when the affected libsixel functions are invoked repeatedly.
A proof-of-concept (PoC) test is available that uses the converters/img2sixel tool with specific parameters to trigger the issue and check for expected exit codes (255 or 127). This test can help detect the presence of the vulnerability.
- Run the PoC test located at tests/issue/207/poc using the command: `converters/img2sixel -h 50% -r lanczos3 -w 300px`
- Compile the tool with AddressSanitizer enabled to detect memory errors: use the build target `issue-207-vexe` which compiles with `-fsanitize=address`.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update libsixel to a version later than v1.8.7 where the memory leak has been fixed.
The fix involves freeing previously allocated pixel memory in the gif_init_frame() function before allocating new memory, preventing the leak.
If updating is not immediately possible, running the PoC test and monitoring memory usage can help identify exploitation attempts.
Additionally, recompiling the library or tools with AddressSanitizer enabled can help detect memory leaks during testing and development.