CVE-2026-33023
Received Received - Intake
Use-After-Free in libsixel GDK-Pixbuf Loader Enables Code Execution

Publication date: 2026-04-14

Last updated on: 2026-04-23

Assigner: GitHub, Inc.

Description
libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. In versions 1.8.7 and prior, when built with the --with-gdk-pixbuf2 option, a use-after-free vulnerability exists in load_with_gdkpixbuf() in loader.c. The cleanup path manually frees the sixel_frame_t object and its internal buffers without consulting the reference count, even though the object was created via the refcounted constructor sixel_frame_new() and exposed to the public callback. A callback that calls sixel_frame_ref(frame) to retain a logically valid reference will hold a dangling pointer after sixel_helper_load_image_file() returns, and any subsequent access to the frame or its fields triggers a use-after-free confirmed by AddressSanitizer. The root cause is a consistency failure between two cleanup strategies in the same codebase: sixel_frame_unref() is used in load_with_builtin() but raw free() is used in load_with_gdkpixbuf(). An attacker supplying a crafted image to any application built against libsixel with gdk-pixbuf2 support can trigger this reliably, potentially leading to information disclosure, memory corruption, or code execution. This issue has been fixed in version 1.8.7-r1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-14
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-04-15
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33023
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
saitoha libsixel to 1.8.7 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in libsixel can potentially lead to information disclosure, memory corruption, or code execution when an attacker supplies a crafted image. Information disclosure could impact compliance with standards and regulations such as GDPR and HIPAA, which require protection of sensitive data and prevention of unauthorized access.

However, the provided information does not explicitly detail the direct impact on compliance with these standards or regulations.

Impact Analysis

Exploitation of this vulnerability can lead to serious impacts including information disclosure, memory corruption, or even arbitrary code execution. Since the vulnerability involves use-after-free, an attacker can manipulate the program's memory to execute malicious code or leak sensitive information.

Mitigation Strategies

To mitigate this vulnerability, upgrade libsixel to version 1.8.7-r1 or later, where the issue has been fixed.

Avoid using versions 1.8.7 and prior built with the --with-gdk-pixbuf2 option until the update is applied.

Executive Summary

This vulnerability exists in libsixel versions 1.8.7 and prior when built with the --with-gdk-pixbuf2 option. It is a use-after-free issue in the function load_with_gdkpixbuf() within loader.c. The problem arises because the cleanup code manually frees a sixel_frame_t object and its internal buffers without checking the reference count, even though the object was created with reference counting. As a result, callbacks that retain a reference to this object end up holding a dangling pointer after the function returns, leading to use-after-free errors when accessing the object.

The root cause is inconsistent cleanup strategies: one part of the code uses proper reference counting to free objects, while the vulnerable part uses raw free() calls. An attacker can exploit this by supplying a crafted image to any application using libsixel with gdk-pixbuf2 support, triggering the vulnerability reliably.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33023. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart