CVE-2026-33021
Received Received - Intake
Use-After-Free in libsixel Encoder Enables Remote Code Execution

Publication date: 2026-04-14

Last updated on: 2026-04-23

Assigner: GitHub, Inc.

Description
libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. Versions 1.8.7 and prior contain a use-after-free vulnerability in sixel_encoder_encode_bytes() because sixel_frame_init() stores the caller-owned pixel buffer pointer directly in frame->pixels without making a defensive copy. When a resize operation is triggered, sixel_frame_convert_to_rgb888() unconditionally frees this caller-owned buffer and replaces it with a new internal allocation, leaving the caller with a dangling pointer. Any subsequent access to the original buffer by the caller constitutes a use-after-free, confirmed by AddressSanitizer. An attacker who controls incoming frames can trigger this bug repeatedly and predictably, resulting in a reliable crash with potential for code execution. This issue has been fixed in version 1.8.7-r1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-14
Last Modified
2026-04-23
Generated
2026-05-07
AI Q&A
2026-04-15
EPSS Evaluated
2026-05-05
NVD
CVE-2026-33021
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
saitoha libsixel to 1.8.7-r1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The vulnerability exists in libsixel versions 1.8.7 and prior, specifically in the function sixel_encoder_encode_bytes(). It is a use-after-free issue caused because sixel_frame_init() stores a caller-owned pixel buffer pointer directly without making a defensive copy. When a resize operation occurs, sixel_frame_convert_to_rgb888() frees this caller-owned buffer and replaces it with a new internal allocation. This leaves the caller with a dangling pointer, and any subsequent access to the original buffer results in use-after-free behavior.

An attacker who controls incoming frames can exploit this vulnerability repeatedly and predictably, causing reliable crashes and potentially enabling code execution.

This issue was fixed in version 1.8.7-r1.


How can this vulnerability impact me? :

This vulnerability can lead to application crashes due to use-after-free errors when processing SIXEL frames. More seriously, it has the potential to allow an attacker to execute arbitrary code by exploiting the predictable nature of the bug.

If an attacker can supply malicious SIXEL frames to an application using vulnerable libsixel versions, they could cause denial of service or potentially gain control over the affected system.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, upgrade libsixel to version 1.8.7-r1 or later, where the use-after-free issue has been fixed.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart