CVE-2026-33019
Integer Overflow in libsixel img2sixel Causes Out-of-Bounds Read
Publication date: 2026-04-14
Last updated on: 2026-04-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| saitoha | libsixel | to 1.8.7-r1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
| CWE-190 | The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in libsixel allows an attacker to trigger an out-of-bounds heap read, which can lead to potential information disclosure. Such information disclosure vulnerabilities can impact compliance with data protection regulations like GDPR and HIPAA, which require the protection of sensitive data from unauthorized access or leaks.
However, the provided information does not specify the nature of the data that could be exposed or whether the vulnerability directly leads to exposure of personal or protected health information. Therefore, the exact impact on compliance with standards like GDPR or HIPAA cannot be determined from the given data.
Can you explain this vulnerability to me?
The vulnerability exists in libsixel versions 1.8.7 and prior, specifically in the --crop option handling of the img2sixel tool. It is caused by an integer overflow when processing positive coordinates up to INT_MAX without proper overflow-safe bounds checking. This overflow causes the calculation clip_w + clip_x to wrap to a large negative value, which bypasses the bounds guard. As a result, an out-of-bounds heap read occurs when a source pointer far beyond the image buffer is passed to memmove(). An attacker can exploit this by supplying a specially crafted crop argument with any valid image, triggering a reliable crash and potential information disclosure.
How can this vulnerability impact me? :
This vulnerability can lead to a reliable crash of the affected application, causing denial of service. Additionally, it may result in potential information disclosure due to the out-of-bounds heap read, which could allow an attacker to access sensitive memory contents.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade libsixel to version 1.8.7-r1 or later, where the issue has been fixed.
Avoid using the --crop option with untrusted input until the update is applied, as it can trigger an out-of-bounds heap read.