CVE-2026-33023
Use-After-Free in libsixel GDK-Pixbuf Loader Enables Code Execution
Publication date: 2026-04-14
Last updated on: 2026-04-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| saitoha | libsixel | to 1.8.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-416 | The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to serious impacts including information disclosure, memory corruption, or even arbitrary code execution. Since the vulnerability involves use-after-free, an attacker can manipulate the program's memory to execute malicious code or leak sensitive information.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade libsixel to version 1.8.7-r1 or later, where the issue has been fixed.
Avoid using versions 1.8.7 and prior built with the --with-gdk-pixbuf2 option until the update is applied.
Can you explain this vulnerability to me?
This vulnerability exists in libsixel versions 1.8.7 and prior when built with the --with-gdk-pixbuf2 option. It is a use-after-free issue in the function load_with_gdkpixbuf() within loader.c. The problem arises because the cleanup code manually frees a sixel_frame_t object and its internal buffers without checking the reference count, even though the object was created with reference counting. As a result, callbacks that retain a reference to this object end up holding a dangling pointer after the function returns, leading to use-after-free errors when accessing the object.
The root cause is inconsistent cleanup strategies: one part of the code uses proper reference counting to free objects, while the vulnerable part uses raw free() calls. An attacker can exploit this by supplying a crafted image to any application using libsixel with gdk-pixbuf2 support, triggering the vulnerability reliably.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in libsixel can potentially lead to information disclosure, memory corruption, or code execution when an attacker supplies a crafted image. Information disclosure could impact compliance with standards and regulations such as GDPR and HIPAA, which require protection of sensitive data and prevention of unauthorized access.
However, the provided information does not explicitly detail the direct impact on compliance with these standards or regulations.